Microsoft's new KDP tech blocks malware by making parts of the Windows kernel read-only

New KDP security feature is currently being tested with Windows 10 Insider builds.
Written by Catalin Cimpanu, Contributor

Microsoft has published today the first technical details about a new security feature that will soon be part of Windows 10.

Named Kernel Data Protection (KDP), Microsoft says this feature will block malware or malicious threat actors from modifying (corrupting) the operating system's memory.

According to Microsoft, KDP works by giving developers access to programmatic APIs that will allow them to designate parts of the Windows kernel as read-only sections.

"For example, we've seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver," Microsoft's Base Kernel Team said today. "KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with."

Microsoft says this new technology was developed with security in mind but that it also has other applications, such as anti-cheat and digital rights management (DRM) software.

Besides improving OS security, KDP also has other benefits, such as:

  • Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
  • Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don't necessarily represent security vulnerabilities
  • Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem

Under the hood, Redmond says KDP works on top of a new technology that the company has been working on adding to Windows 10. The technology, known as virtualization-based security (VBS), uses the computer's underlying hardware to isolate a secure region of memory from the normal operating system inside a "virtual secure mode."

KDP works by taking the kernel memory mark as read-only and moving it inside a VBS "virtual secure mode," where it can't be tampered with, even by the operating system itself.

Microsoft says that VBS support is the only requirement to use KDP with an application on Windows 10.

Any computer that supports VBS will also support KDP inherently. Currently, VBS is supported on any computer that supports:

  • Intel, AMD or ARM virtualization extensions
  • Second-level address translation: NPT for AMD, EPT for Intel, Stage 2 address translation for ARM
  • Optionally, hardware MBEC, which reduces the performance cost associated with HVCI

Microsoft's upcoming line of Secured-core PCs also natively support VBS. In fact, Microsoft first teased the KDP feature in the official Secured-core PCs announcement earlier this year in March.

Currently, KDP is already included with the latest Windows 10 Insider Build. There's no timeline of when it will be included in the main Windows 10 stable release.

Windows 10 setup and configuration secrets for experts

Editorial standards