Microsoft's new security feature for Windows 10 will make it more difficult for bad actors to infect your PC with malware.
As ZDNet reports, the Kernal Data Protection (KDP) security feature prevents malware from modifying Windows 10 memory by giving developers a tool to designate parts of the OS kernel as read-only.
- How to Use Windows 10
- How to Upgrade to Windows 10 for free in 2020
- Microsoft fixes infuriating Chrome issue on Windows 10
When converted to a read-only state, sensitive information housed in memory can't be accessed or modified. Protecting memory by making it read-only is valuable for the Windows kernel, inbox components, security products and third-party drivers, like anti-cheat and digital rights management software, Microsoft wrote in a blog post.
"For example, we've seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver," Microsoft's Base Kernel Team wrote. "KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with."
Microsoft described a handful of secondary benefits generated by the Data Protection feature:
- Performance improvements – KDP lessens the burden on attestation components, which would no longer need to periodically verify data variables that have been write-protected
- Reliability improvements – KDP makes it easier to diagnose memory corruption bugs that don’t necessarily represent security vulnerabilities
- Providing an incentive for driver developers and vendors to improve compatibility with virtualization-based security, improving adoption of these technologies in the ecosystem
Microsoft suggested the KDP concept was created in response to attackers shifting their techniques toward data corruption now that security technology can ward off memory corruption attacks.
"Attackers use data corruption techniques to target system security policy, escalate privileges, tamper with security attestation, modify “initialize once” data structures, among others," Microsoft notes.
KDP is available now for any computer with Intel, AMD or ARM virtualization extensions. It is also supported on laptops with second-level address translation, or NPT for AMD, EPT for Intel and Stage 2 for ARM.