6

This setting recently appeared in windows 10 home, as part of the creator's update (1709).

However, other than some cursory info on this insider preview blog and this help page, I can't find anything about what the effects of this setting actually are.

  • What are likely performance impacts?

  • What are likely compatibility impacts?

  • Does this protect against exploits like Meltdown or Spectre?

It could be my weak Google-foo, but that blog and help page are all I can find. All they state about the Memory integrity setting is:

Core isolation provides added protection against malware and other attacks by isolating computer processes from your operating system and device. Select the Core isolation details link to change settings for core isolation features.

Memory integrity is a feature of core isolation. By turning the Memory integrity setting to On, you can help prevent malicious code from accessing high-security processes in the event of an attack.


with Memory integrity protection, kernel memory pages are only made executable after passing code integrity checks inside the secure runtime environment, and executable pages themselves are never writable

some drivers may still not be compatible. This may cause devices or software to malfunction

There is an abundance of other articles on the topic, but they all just say how to turn the feature on, not what it does.

Community
  • 1
silico-biomancer
  • 518

1 Answers1

4

I'm not quite sure exactly what it does myself, and I actually work in the IT industry, so don't feel bad that you can't find much info, it just isn't there.

Based on what I do know, I'm believe that it actually does a couple of things, namely:

  • If the system has working hardware virtualization capabilities (SVM on AMD, VT-x on Intel, or something on ARM that I can't remember the name of), it takes advantage of them to provide somewhat better isolation of virtual memory areas for each process.
  • If the system has hardware level memory encryption support (SME on AMD, or SGX on Intel), it makes use of that to provide each virtual memory context (which is usually, but not always, the same thing as a process) with its own truly (in theory) private memory.

To answer each of your specific queries:

  • Performance impacts are generally pretty low for both parts, that's one of the advantages to doing this in hardware. They do however have different types of impact. The encryption part mostly impacts raw memory bandwidth (though in my own testing of the same technology on Linux, it's not much, I was counting cycles at times to determine the performance difference). The virtualization part though, has most of it's impact in context switching (for example, calling into the various WIndows API's or accessing hardware).
  • Compatibility-wise, you shouldn't see many issues unless you're using software that does some pathologically stupid stuff, and you have a relatively recent CPU. If your CPU isn't new enough, it won't support nested virtualization, and you won't be able to properly run most types of virtual machines on the system (officially, Windows 10 does not support any x86 CPU's old enough for this to be an issue, but it will still run on such systems).
  • In terms of what it protects against, it's hard to say without any concrete explanation of how it works. I kind of doubt it provides any realistic protection from buffer overrun bugs like Heartbleed though, as those can only be properly protected against in the programming language, not the OS.
Austin Hemmelgarn
  • 10,724