Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows IT Technology

Microsoft's New KDP Tech Blocks Malware By Making Parts of the Windows Kernel Read-Only (zdnet.com) 43

Microsoft today published technical details about a new security feature that will soon be part of Windows 10. From a report: Named Kernel Data Protection (KDP), Microsoft says this feature will block malware or malicious threat actors from modifying (corrupting) the operating system's memory. According to Microsoft, KDP works by giving developers access to programmatic APIs that will allow them to designate parts of the Windows kernel as read-only sections. "For example, we've seen attackers use signed but vulnerable drivers to attack policy data structures and install a malicious, unsigned driver," Microsoft's Base Kernel Team said today. "KDP mitigates such attacks by ensuring that policy data structures cannot be tampered with." Microsoft says this new technology was developed with security in mind but that it also has other applications, such as anti-cheat and digital rights management (DRM) software.
This discussion has been archived. No new comments can be posted.

Microsoft's New KDP Tech Blocks Malware By Making Parts of the Windows Kernel Read-Only

Comments Filter:
  • by Chris Mattern ( 191822 ) on Thursday July 09, 2020 @10:29AM (#60279124)

    "other applications, such as anti-cheat and digital rights management (DRM) software."

    It's not your computer, we're just letting you use it.

    • Yeah, I saw that too - it seems likely it's the real selling point for this, while any OS security benefit is probably a half-assed afterthought mainly tacked on for PR purposes.

      It'll be interesting to see if any applications using this for DRM end up bricking someone's Windows computer.

      • by raymorris ( 2726007 ) on Thursday July 09, 2020 @10:54AM (#60279190) Journal

        I won't pretend to know Microsoft's motivations, but it IS important for security. Windows malware frequently does code injection and it's definitely a bad thing when malware can inject code into the running kernel.

        Linux has had this (fairly obvious) protection for at least 15 years, though on Linux it's much more thorough. In Linux by default *all* executable code in the kernel is read-only.

        There is very little legitimate use for changing a driver in RAM after it's loaded from disk rather than just updating the driver file. For kernel debugging you can turn it off with CONFIG_STRICT_MODULE_RWX and CONFIG_STRICT_RWX.

        • by antiduh ( 548973 )

          > Linux has had this (fairly obvious) protection for at least 15 years, though on Linux it's much more thorough. In Linux by default *all* executable code in the kernel is read-only.

          To be clear, the change that Microsoft is implementing here is specifically about making data structures read-only, not just executable code. Their example of policy data structures illustrates this.

          I don't know Linux well enough - does Linux enforce read-only sections of data, not just code? Or does a rogue kernel module hav

          • by raymorris ( 2726007 ) on Thursday July 09, 2020 @11:45AM (#60279412) Journal

            Good point.

            Yes, Linux has different types of read-only data.
            There's read-only where the value is set it compile time.
            There's read-only where the value is set at initialization (write-once).
            There's another facility to protect data that needs to be updated occasionally, where it's read-only normally and can be unlocked briefly.

            • by antiduh ( 548973 )

              What mechanisms does Linux use to enforce those type of read-only data, though?

              If the value is set at compile time, then presumably that value is part of the executable image and is thus enforced by making the executable code in ram read-only.

              What about the other types? Do they use the page table to make the pages containing the values read-only?

              • > If the value is set at compile time, then presumably that value is part of the executable image and is thus enforced by making the executable code in ram read-only

                Well sorta. The executable file has sections for code, for read-write variables, and for write-only. Those are the .data and .rodata sections.

                For the others, I'm not an expert so for details I can only suggest you check for the code and docs, probably by searching commits, for CONFIG_STRICT_KERNEL_RWX, CONFIG_STRICT_MODULE_RWX, and __ro_aft

          • "To be clear, the change that Microsoft is implementing here is specifically about making data structures read-only, not just executable code. Their example of policy data structures illustrates this."

            Except of course that there still has to be "approved" methods to change the data. So you just call the "approved" API. This is just smoke and mirrors that signifies nothing. Sort of like "software switches" that turn off the camera and microphone. You simply call the appropriate API to toggle the switch a

        • 15 years? That's an interesting number. It took MS a long time to get a desktop together that had protected mode. Arguably, Windows 2000 was a desktop, but to many it was just an teration to Win NT. XP, was 2002? That's almost 10 years after Linux had 386 protected mode. So on security, is MS getting further behind, or is it catching up?

          Isn't the biggest threat to the user ransomare, and as such, does this really help the user against the majority of malware that runs happily as the user, it may stop it tr

          • My mom doesn't expect windows to be secure. Seriously. And she's really paranoid about clicking links, etc.

            I think users know, they still just do stupid shit sometimes because that's just how people are.

          • by raymorris ( 2726007 ) on Thursday July 09, 2020 @12:46PM (#60279706) Journal

            Yeah what can protect against ransomware (other than proper backups) is switching from 1970s-style discretionary access control (DAC) to mandatory access control.

            > the majority of malware that runs happily as the user,
            With DAC

            Yeah that's the defining characteristic of DAC - whatever runs as your user has permission to access all of your stuff. So a "calculator app" can read your email. That's mostly what Windows uses.

            Prior to getting DAC in Vista (or at least a crummy impersonation of DAC), Windows had no security controls at all. Anybody could broese the C drive. The best you could do before that was the OS wouldn't show a shortcut to other users' files on the desktop by default, but the C drive was right there. XP added a file permissions feature that COULD have been used, but really wasn't used and caused problems with programs. So really it was Vista that brought Windows up to 1970s standards for Access control.

            In 2000, Linux got MAC - it comes with policies specifying which types of files and directories the web server software is allowed to access *regardless of what userid it's using*. Even if there was an escalation exploit, /usr/bin/httpd can't access anything but web files, even if it's running as root. Your DHCP server can't access files of type "user documents", regardless of userid.

            Windows started playing something a little closer to MAC in 2008, but they got it fundamentally wrong. In their broken version, which they call MIC, they use *levels* of access rather than *types*. So for any given program it either has high accrss or low access. You can't say it gets access to the relevant files, and doesn't have access to files unrelated to that type of program.

            Maybe in 10 more years Windows will get MAC.

          • by lgw ( 121541 )

            When people say "protected mode" they usually mean the processes cannot write to one another's memory. The NT codebase has, of course, always had that. Windows has also protected memory pages containing code rather than data for many years. This is about protecting certain data pages used by the kernel from other tasks in the kernel.

        • Windows malware frequently does code injection and it's definitely a bad thing when malware can inject code into the running kernel.

          Well that's kind of Microsoft's business model from all indications.

        • Comment removed based on user account deletion
    • by waspleg ( 316038 )

      This has been the plan before Windows 10 even came out, and after it's been in plain sight. [a href="https://phoronix.com/scan.php?page=news_item&px=AMD-PPIN-Processor-ID-Linux">Do you think it was an accident Intel/AMD put Unique Serial #'s in hardware?

      • by waspleg ( 316038 )

        yeah [phoronix.com] 20+ years and you still can't edit a fucking post.

        • Unique IDs have a LOT of uses. Good ideas are usually widespread ideas. Like...the knife. ;-)

        • yeah [phoronix.com] 20+ years and you still can't edit a fucking post.

          I know. Trust me, you're not the only one that sees this as the stupid, anachronistic shortcoming that it is. Even a 2-minute grace period before locking the post would allow people to correct mistakes.

          But noooooooooo, that's just too fucking fancy for slashdot.

          • by jmccue ( 834797 )
            Actually, with mods editing is a bit complex. But maybe as soon a the post is modded it get locked.
            • Actually, with mods editing is a bit complex. But maybe as soon a the post is modded it get locked.

              Something like that. This isn't exactly a new problem that's never been seen or solved. It's been solved for 20+ years in virtually every blog and forum software out there.

              But this site, oh no this is too complex and people will maliciously edit their posts and oh it's so confusing and we've never done it that way and blah blah blah blah blah.

              Even Twitter, "the confetti of the internet" allows you to remove a post.

        • by AvitarX ( 172628 )
          At least they took away preview on mobile in those 20 years...
    • Comment removed based on user account deletion
  • Fuck that shit. (Score:1, Offtopic)

    by Lordpidey ( 942444 )

    With the Microsoft Store, I ended up with two copies of a 50GB directory that I can't delete, thanks to the installer bungling itself when installing PSO2.

    I do not trust Microsoft to lock me out of my own machine, being unable to make needed changes.

    • If you have admin you should be able to change any file acl.

    • The way to update a driver is to update the dll FILE.
      Not rewrite a new copy into RAM after the old ime has loaded.

      Linux has had this (fairly obvious) protection for at least 15 years, though much better. In Linux by default *all* executable code in the kernel is read-only. For kernel debugging you can turn it off with CONFIG_STRICT_MODULE_RWX and CONFIG_STRICT_RWX. That let's you change the driver in RAM, while it's running. Windows is now starting to apply this principle in some selected parts.

      • by Merk42 ( 1906718 )
        Winblows is bad! It should be like Linux!!

        *Windows does a thing Linux does*

        They must have ulterior motives! M$ is evil!!1
        • Winblows is bad! It should be like Linux!!
          *Windows does a thing Linux does*
          They must have ulterior motives! M$ is evil!!1

          How dare people remember the lessons of history?

    • Re: (Score:2, Insightful)

      by thegarbz ( 1787294 )

      that I can't delete

      In Microsoft's defense it seems you probably shouldn't be trusted on your machine if this is the case.

  • above the hardware, where Meltdown, Spectre and all the other Intel fups have been occurring.

  • Can't any bus mastering device still write to most if not all of the memory, or is IOMMU now properly managed as well? Otherwise a GPU, USB, SATA, and other peripherals have a general ability to write to any address. (rather than being limited to dedicated RAM for the peripherial)

    I still miss the good old days of Firewire when you could plug into any computer and access its RAM. [wikipedia.org] Made for some handy debugging and RE. It was like a GameGenie for your PC.

  • ..that in reality does precisely nothing to prevent tracking unless websites respect the flag setting.
    You can mark some memory as 'read only' all you want. When some malware breaks your 'read only' mechanism and makes everything 'read-write' again, then it's useless.

    Let's just burn our OS's into EPROMs like the old days. That's read-only. Or cover the tab on the floppy with one of those little silver labels, remember those? xD
    • Not with privilege escalation alone. KDP uses virtualization hardware to do the job - you would have to break out of virtualization (or break in, depending on how it's done) to gain access to modify that memory.

      • "you would have to break out of virtualization (or break in, depending on how it's done) to gain access to modify that memory."
        ..meanwhile, hackers say: "Hold my beer and watch this"

        Anything that Mankind can make, Mankind can BREAK. Prove me wrong.

  • by NecroPuppy ( 222648 ) on Thursday July 09, 2020 @12:01PM (#60279482) Homepage

    Of how Windows ME had a "super secret hidden partition that only the OS could write to" until the malware makers (quickly) figured out how to stuff things in there. But the AV makers weren't allowed to go in there to clean it up...

    • I've been saying for over a decade now. What we need is a separate drive just for the OS. It should have a physical write-protect switch that's normally in the read-only mode. The OS should be designed to run from a read-only drive (like the old ROMs), with dynamic write operations (like logs and pagefile) being sent to a second read/write drive.

      Once a month when you update the OS, and only when you're updating the OS, the user hits a non-interceptable key combination like ctrl-alt-del. (That's why Wi
  • Did Microsoft just reinvent the immutable bit?

    Yes yes, I know this isn't the same thing...but it's more or less the same idea: "no touchy da file"

  • Windows already has obfuscated code that protects against modifying most kernel code and some critical variables such as ci.dll's g_CiOptions. If you mess with these, the obfuscated code will bugcheck (bluescreen) the system.

    It sounds like Microsoft's just making an API to tell PatchGuard more areas to watch for modifications.

  • Wow something we had on machines like HP3000 40 years ago FINALLY comes to Windows. I've always wondered why Windows allowed non-reentrant code. Mixing of read only code and read/write data in memory always seemed like a bad idea and we've put up with 40 years of malware, viruses, ransomware, etc. because of it. Maybe I'm just too old school.

You can not win the game, and you are not allowed to stop playing. -- The Third Law Of Thermodynamics

Working...