Microsoft’s efforts to prevent malware attacks are gaining a new weapon. The firm has this week published technical details about a service called Kernel Data Protection (KDP). This new security tool will soon be integrated into Windows 10.

According to Microsoft, the feature stops malware and other threats from accessing and changing Windows 10’s system memory. KDP will allow developers to leverage programmatic APIs to change some parts of the Windows kernel to read-only.

“For example, we’ve seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver,” Microsoft’s Base Kernel Team points out. “KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with.”

While Kernel Data Protection is a security-focused feature, Microsoft says it has other abilities. For example, it can be used as a digital rights management tool. Furthermore, the service comes with the following benefits named by Microsoft:

  • “Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
  • Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
  • Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem.”

Details

KDP will work over a new tech the company is bringing to Windows 10. Called virtualization-based security (VBS), the tech uses the underlying PC hardware to create a secure region for memory away from the normal OS system.

Kernel Data Protection takes the read-only kernel memory and moves it to the VBS. Any Windows 10 machine that supports the new VBS will also receive KDP. Those PCs are ones that support:

  • “Intel, AMD or ARM virtualization extensions
  • Second-level address translation: NPT for AMD, EPT for Intel, Stage 2 address translation for ARM
  • Optionally, hardware MBEC, which reduces the performance cost associated with HVCI”