Windows 10 has the capability to use hardware virtualization to isolate critical parts of the operating system. Otherwise known as virtualization-based security (VBS), a secure kernel runs at a higher trust level than the NT kernel. And when Windows 10 executes code and stores data at the higher trust level, the standard NT kernel and user-mode processes cannot directly access the protected code and data. Windows transfers data between the two trust levels using a set of APIs.
VBS lets security features, like Windows Defender Device Guard and Credential Guard, operate with integrity even if the NT kernel is compromised. And Windows Defender System Guard, which was introduced in the Windows 10 Fall Creators Update (version 1709), reorganizes critical system components to protect them using a hardware-based isolation container at boot time and continues to provide protection when Windows is running.
But while VBS has been implemented by large organizations that have the right hardware and resources to manage it, VBS is turned-off by default for everyone else. According to a recent blog post by Bruce Sherwin, a member of Microsoft’s Hyper-V Development Team, Cloud & AI, the hypervisor development team is working on bringing VBS to everyone and enabling it by default. Sherwin notes that this will bring the added benefit of enabling a seamless integration of other features that rely on Hyper-V, like Windows Defender Application Guard, Windows Sandbox, Windows Subsystem for Linux 2, and more.
Sherman says that the team has been working over the past few Windows 10 releases to reduce the performance and power impact of running the hypervisor on typical consumer-grade hardware. This work has involved partnering with the Windows kernel team and chip manufacturers like Intel, AMD, and Qualcomm.
HyperClear and Hypervisor Memory Management
Microsoft has been able to reduce the runtime performance and power impact of hypervisor memory management as part of HyperClear, a Hyper-V project to mitigate L1TF speculative execution side-channel attacks across virtual machines (VM) with negligible performance impact; and kernel changes to avoid fragmenting large pages in the second-level address translation table (SLAT). Additionally, Microsoft has optimized hot hypervisor code paths for interrupt virtualization, better-using hardware virtualization technology. And finally, Hypervisor-Enforced Code Integrity (HVCI) is improved with reduced performance and power impact by using completely new hardware features, like Intel’s Mode-based execute control for Extended Page Tables (EPT) Mode-Based Execution Control (MBEC), AMD’s Guest-mode execute trap for NPT (GMET), and ARM’s Translation table stage 2 Unprivileged Execute-never (TTS2UXN).
What is Mode-Based Execution Control?
Good question. Mode-Based Execution Control virtualization provides an extra layer of protection from malware attacks in virtualized environments by allowing hypervisors to more reliably verify and enforce the integrity of kernel level code. MBEC is part of Intel VT-x in 7th-generation CPUs and later. In short, MBEC adds attributes to the SLAT table so that the kernel can tell the difference between kernel and user-mode memory pages. This enables HVCI to share the page table between kernel and user mode without causing what are known as VMExits, which can cause a large performance hit when processing unsigned user-mode code.
VBS On By Default for Samsung Galaxy Book2
Surprisingly, the first device to get VBS enabled by default is the Samsung Galaxy Book2, which is based on a Qualcomm Snapdragon 850 processor. It’s also the first time that Hyper-V has been officially supported on an ARM processor, which comes in build 18362.387 of the Windows 10 May 2019 Update, released late September 2019.
Better Security for Small Businesses and Consumers
If your PCs don’t support MBEC, or equivalent technology from another chip maker, then enabling HVCI, as used by Windows Defender Device Guard, could see a significant performance hit. While this isn’t the only factor that influences VBS performance, it is the most important.
It’s possible to enable VBS if you have the right hardware today, see Microsoft post here for more details on the technical requirements, but it is clearly going to be years before VBS is enabled everywhere. If not because it just requires modern hardware to work efficiently. While there’s only one device where VBS is enabled by default today it’s nice to know that Microsoft is working towards enabling VBS everywhere. And each new feature update for Windows 10 should provide wider support for VBS so that it can be enabled out-of-the-box by OEMs.