Technically there is no such thing as Ring “-1”. The hypervisor runs in a partition itself, complete with Ring 0 and Ring 3. It’s a unique Monitor Mode partition. Hypervisor Partitioning Kernel Partition is isolation boundary Few virtualization functions; relies on virtualization stack Very thin layer of software Microkernel Highly reliable No device drivers Two versions, one for Intel and one for AMD Drivers run in the root Leverage the large base of Windows drivers Well-defined interface Allow others to create support for their OSes as guests Virt Stack Portion of traditional hypervisor that has been pushed up and out to make a micro-hypervisor Manages guest partitions Handles intercepts Emulates devices
Guests are untrusted Root must be trusted by hypervisor; parent must be trusted by children. Code will run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers. All hypercalls can be attempted by guests Can detect you are running on a hypervisor We’ll even give you the version The internal design of the hypervisor will be well understood
Hypervisor is the first kernel model and lower component built with ASLR. All new code, built from the ground up with SDL.
These are things we had to get right in the product, or else there would be no product. TWC, SDL, and hard work. Microsoft knows how to do this, but I wouldn’t go so far to say it’s in our DNA. Requires constant focus, training, and will. Need someone to push for security at all stages, across all component teams and disciplines.
Now that you have this system, how do you keep it from getting too unwieldy? System Center, offline servicing tool, active directory, AzMan, Forefront. Pieces are here, we, as a company, are starting to bring them together. Everyone needs to think about virtualization to get it right.
Now that we have virtualization, what new can we do with it? Very powerful capability. I assert we can’t use it to solve the problems in management - that’s self referential. And we have to be extremely careful to not weaken the core.
This is the mitigation for Blue Pill, hyperviruses.
TPM wasn’t designed to be virtualized – there is only one PCR 0, which is set by the BIOS. How do multiple OS’s share that?
Hyper-V Security Brandon Baker Senior Development Lead Microsoft William Arbaugh Principal Architect Microsoft October 31st, 2008 ACM CCS / VMSec
All virtualization systems have a VMM, drivers, virtualization software, and management interfaces. Hypervisor VM 1 (Admin) VM 2 VM 3 Hardware Hardware Hypervisor VM 2 (“Child”) VM 3 (“Child”) October 31st, 2008 ACM CCS / VMSec
Root Virtualization Service Providers (VSPs) Server Core VM Worker Processes VMMS Service WMI Provider Guest Partitions Ring 0 Ring 3 Guest Applications Hyper-V Architecture Partition VMCS/VMCB APIC MMU CPU Ring 0 Ring 3 Ring “-1” October 31st, 2008 ACM CCS / VMSec Windows Kernel Virtualization Stack Device Drivers Windows hypervisor Virtualization Service Clients (VSCs) OS Kernel Enlightenments VMBus Provided by: Windows ISV Hyper-V Storage NIC
Root Virtualization Service Providers (VSPs) Server Core VM Worker Processes VM Service WMI Provider Guest Partitions Guest Applications Hyper-V TCB Partition October 31st, 2008 ACM CCS / VMSec Windows Kernel Virtualization Stack Device Drivers Windows hypervisor Virtualization Service Clients (VSCs) OS Kernel Enlightenments VMBus
Root Partition Guest Partitions Hyper-V Security Model Windows AuthN October 31st, 2008 ACM CCS / VMSec Server Core Virtualization Stack Windows hypervisor Guest OS Kernel Guest Applications VMBus AzMan Hypercall Part ID 1 Hypercall Part ID 2…n Partition Privileges VM Config Part ID to VM Config VMCS Memory Map
VM administrators don’t have to be Server 2008 administrators
Guest resources are controlled by per VM configuration files
Shared resources are protected
Read-only (CD ISO file)
Copy on write (differencing disks)
Hyper-V Security Model October 31st, 2008 ACM CCS / VMSec
Virtualization Attacks Root Partition Guest Partitions Server Hardware Guest Applications Hackers OS Kernel VMBus Provided by: Windows ISV Hyper-V October 31st, 2008 ACM CCS / VMSec Virtualization Service Providers (VSPs) Windows Kernel Server Core Device Drivers Virtualization Stack VM Worker Processes VM Service WMI Provider Virtualization Service Clients (VSCs) Enlightenments VMBus Windows hypervisor