New Microsoft KDP blocks malware by protecting the Kernel

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • KPD uses virtualization-based security (VBS) to protect a part of the Windows Kernel and drivers against data corruption attacks.
  • Basically, VBS is creating and isolating a secure region of memory from Windows 10.
  • Windows Kernel is the heart of the OS. Read more about it in our Windows Kernel section.
  • If you're interested more in updates and security, visit our Windows 10 Update & Security Hub.
New Microsoft KDP blocks malware

According to a Microsoft security blog post, right now, attackers that were rejected by security technologies that prevent memory corruption, are switching their focal point towards data corruption.

Attackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify initialize once data structures, among others.

To counter the attacks, Microsoft is launching a new technology, Kernel Data Protection (KDP).

How does Kernel Data Protection protect your OS?

KPD uses virtualization-based security (VBS) to protect a part of the Windows Kernel and drivers against data corruption attacks, taking advantage of hardware virtualization features.

Basically, VBS is creating and isolating a secure region of memory from Windows 10.

This way, protecting the kernel memory as read-only will also protect the inbox components, security products, and third-party DRM drivers.

According to Microsoft, the protection is implemented in two parts:

  • Static KDP enables software running in kernel mode to statically protect a section of its own image from being tampered with from any other entity in VTL0.
  • Dynamic KDP helps kernel-mode software to allocate and release read-only memory from a secure pool. The memory returned from the pool can be initialized only once.

What do I need to get Kernel Data Protection?

You don’t have to do anything special to benefit from the new Kernel Data Protection. If you have VBS support, you will also be able to use KDP with an application on Windows 10.

According to Microsoft, right now, VBS is supported on any computer that supports:

  • Intel, AMD or ARM virtualization extensions
  • Second-level address translation: NPT for AMD, EPT for Intel, Stage 2 address translation for ARM
  • Optionally, hardware MBEC, which reduces the performance cost associated with HVCI

KDP is already included in the latest Windows 10 Insider Build. We don’t know yet when it will be included in the Windows 10 stable release.

[wl_navigator]

More about the topics: Windows Kernel

User forum

0 messages