What is virtualization-based security in Windows?
Virtualization-based security has been a feature of Windows 10 for years. It went unnoticed by many people because Microsoft was not implementing it; however, this will change with Windows 11.
Let’s take a closer look at VBS, see what it is and how to turn it on and off.
What is Virtualization-Based Security (VBS)?
Virtualization-Based Security (VBS) uses the Windows hypervisor to virtually isolate a segment of main memory from the rest of the operating system. Windows uses this isolated and secure region of memory to store important security solutions such as login information and code responsible for Windows security, among others.
The reason for hosting security solutions inside an isolated part of memory is to protect the solutions from exploits that aim to defeat those protections. Malware often targets Windows built-in security mechanisms to gain access to critical system resources. For example, malicious code can gain access to kernel-level resources by bypassing Windows code authentication methods.
VBS addresses this problem by separating Windows security solutions from the rest of the operating system. This makes Windows more secure because the vulnerabilities cannot bypass operating system protections because they do not have access to these protections. One of these protections is the integrity of the code applied by the hypervisor (HVCI) or the integrity of memory.
HVCI relies on VBS to implement enhanced code integrity checks. These checks authenticate kernel-mode drivers and programs to ensure that they come from trusted sources. Thus, HVCI ensures that only the trusted code is loaded into memory.
In short, VBS is a mechanism by which Windows separates critical security solutions from everything else. In the event of a system breach, the solutions and information protected by VBS will remain active because malicious code cannot infiltrate and disable / bypass them.
The need for virtualization-based security in Windows
To understand the need for Windows 11 for VBS, we need to understand the threats that VBS is intended to eliminate. VBS is primarily a protection mechanism against malicious code that traditional security mechanisms cannot handle.
In other words, VBS aims to defeat kernel-mode malware.
The kernel is the heart of any operating system. It is the code that manages everything and allows the different hardware components to work together. Usually, user programs do not run in kernel mode. They operate in user mode. User mode programs have limited capacities because they do not have elevated permissions. For example, a user-mode program cannot overwrite the virtual address space of another program and interfere with its operation.
Kernel-mode programs, as the name suggests, have full access to the Windows kernel and in turn have full access to Windows resources. They can make system calls, access critical data, and connect to remote servers without any hindrance.
In short, kernel mode programs have higher permissions than even antivirus programs. Thus, they can bypass firewalls and other protections set up by Windows and third-party applications.
In many cases, Windows won’t even know that there is malicious code with kernel-level access. This makes detection of kernel-mode malware extremely difficult or, in some cases, even impossible.
VBS aims to change that.
As mentioned in the previous section, VBS creates a secure memory area using Windows hypervisor. The Windows hypervisor has the highest level of permissions in the system. It can check and apply restrictions on system memory.
So if kernel-mode malware has modified pages in system memory, hypervisor-powered code integrity checks examine the memory pages for possible integrity violations within the region. secure memory. It is only when a piece of code receives a green signal from these integrity checks that it is made executable outside this memory region.
In short, Windows needs VBS to minimize the risk of kernel-mode malware in addition to dealing with user-mode malicious code.
How does Windows 11 use VBS?
If we take a close look at the Windows 11 hardware requirements, we can see that most of the things Microsoft requires for a Windows 11 PC are necessary for VBS to work. Microsoft details the hardware needed to run VBS on its website, including:
A 64-bit processor with hardware acceleration features such as Intel VT-X and AMD-V
Trusted Platform Module (TPM) 2.0
Hypervisor-Enforced Code Integrity (HVCI) compatible drivers
From this list, it’s pretty clear that the main hardware requirements of Windows 11, including Intel 8th gen or higher processors, are there to facilitate VBS and the features it enables. One of these features is Hypervisor Enforced Code Integrity (HVCI).
Remember that VBS uses the Windows hypervisor to create a virtual memory environment separate from the rest of the operating system. This environment acts as the operating system’s root of trust. In other words, only the code and security mechanisms residing inside this virtual environment are trustworthy. Outside-resident programs and solutions, including any kernel-mode code, are not trusted until they are authenticated. HVCI is a key component that strengthens the virtual environment created by VBS.
Inside the virtual memory region, HVCI checks kernel-mode code for integrity violations. The kernel-mode code in question can only allocate memory if the code is from a trusted source and the allocations pose no threat to the security of the system.
As you can see, HVCI is a big deal. Therefore, Windows 11 enables the feature by default on all compatible systems.
How to see if VBS is enabled on your computer
Microsoft enables VBS on pre-built and OEM Windows 11 compatible machines by default. Unfortunately, VBS can reduce performance by up to 25%. So if you are using Windows 11 and don’t need top security, be sure to turn off VBS.
To verify that VBS is enabled on your computer, press the button Windows key, type “system information” and choose the appropriate result. Once the app is open, scroll to Virtualization-based security and see if it is enabled.
To enable / disable VBS, press the Windows key, type “core isolation” and choose the appropriate result. In the Core isolation section switch Memory integrity On off.
Finally, restart your PC.
VBS can make Windows 11 much more secure … but there are downsides
The great Windows 11 security features like HVCI rely heavily on VBS, for good reason. VBS is an effective way to defeat malicious code and protect the operating system from security breaches. But since VBS relies on virtualization, it can consume a good chunk of your system’s performance.
For Microsoft client companies, this security flaw, even at the expense of performance, is obvious. But for average people who want a fast Windows experience, especially during gaming, the performance cost of VBS can be hard to swallow.
Fortunately, Microsoft allows you to disable VBS on your machine. But don’t worry about disabling VBS. Windows 11 is much more secure than Windows 10, even without VBS.
From trusted support modules to UEFI Secure Boot, Windows 11 will step up the security game and outperform its big brother by miles.
About the Author