As ZDNet reports, the Kernal Data Protection (KDP) security feature prevents malware from modifying Windows 10 memory by giving developers a tool to designate parts of the OS kernel as read-only.
How to Use Windows 10How to Upgrade to Windows 10 for free in 2020Microsoft fixes infuriating Chrome issue on Windows 10
When converted to a read-only state, sensitive information housed in memory can’t be accessed or modified. Protecting memory by making it read-only is valuable for the Windows kernel, inbox components, security products and third-party drivers, like anti-cheat and digital rights management software, Microsoft wrote in a blog post (opens in new tab). “For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver,” Microsoft’s Base Kernel Team wrote. “KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.” Microsoft described a handful of secondary benefits generated by the Data Protection feature:
Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protectedReliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilitiesProviding an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
Microsoft suggested the KDP concept was created in response to attackers shifting their techniques toward data corruption now that security technology can ward off memory corruption attacks. “Attackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify “initialize once” data structures, among others,” Microsoft notes. KDP is available now for any computer with Intel, AMD or ARM virtualization extensions. It is also supported on laptops with second-level address translation, or NPT for AMD, EPT for Intel and Stage 2 for ARM.