"DMA Mode for ATA/ATAPI Devices in Windows XP "
"Windows Hardware Error Architecture ACPI Table Specification "
"Windows Support for Hyper-Threading Technology "
Advances in Memory Management for Windows
An Introduction to COM for UMDF Developers
Analyze Driver Performance
Application Compatibility Test Rig (ACT-R)
Application Software Considerations for NUMA-Based Systems
Architecture of the Windows Driver Foundation
Archive: Driver Install Frameworks Tools v.2.01
Archive: DVD and Microsoft Operating Systems
Archive: Hardware IDs for HID Devices
Archive: HID Audio Controls and Windows
Archive: Key Support, Keyboard Scan Codes, and Windows
Archive: Network Infrastructure Device Implementer's Guide
Archive: Power Management of USB Host Controllers
Archive: Scan Code Mapper for Windows
Archive: Specification for Use of PCI IDs with Windows Operating Systems
Audio Device Performance: Driver Best Practices
Audio Driver Support for the WMA Pro-over-S/PDIF Format
Away Mode DDK for Windows Vista
Away Mode in Windows Vista
Benchmarking on Windows XP: Home Edition and Professional
BIOS Settings for Native-Mode-Capable ATA Controllers
Booting Windows from USB Storage Devices
Brightness Control in WDDM
Building a Dynamic Data Center
Building a Great Media Center PC
CardBus Controllers and Windows
CardBus I/O Resource Windows in Windows Vista
Catalog Criteria for Datacenter Servers
Changes for Vendor-provided Storage Drivers Loaded Using F6
Choosing a WAN Miniport Driver Model
Color Management and Windows: An Introduction: An Overview of Microsoft Image Color Management Technology
Color Management Concepts
Colorspace Interchange Using sRGB
Compatibility of Type 2 Pointing Devices with MS IntelliMouse
CPU Virtualization Extensions: Analysis of Rootkit Issues
Creating Windows INF Files
Debug Port Specification - ARCHIVE - Download
Debug Port Specification - ARCHIVE
Debugging Kernel-Mode Driver Framework Drivers
Design and Deploy a Great Media Center PC
Designing Multifunction Devices for Windows Operating Systems
Designing Video Capture Boards for Use with the Microsoft ActiveX Video Control
Device Driver INF Guidelines for Windows XP
Device Simulation Framework (DSF)
Digital Still Camera Support
Digital Video Camcorder Support in Windows
DirectX VA: Accelerating Video Codec Processing
Disk Subsystem Performance Analysis for Windows
DMA Support in KMDF Drivers
Driver Compatibility for Windows Vista
Driver Protection List for Windows XP and Windows Server 2003
Dump Switch Support for Windows
Enhanced Keyboards and Windows
Exposing Enhanced Functionality for Scanners
Extension Unit Plug-ins for USB Video Class Devices
External DSL Modems Design Guidelines
FAQ for PCI and PCIe Issues for “Designed for Windows” Logo
Fast System Startup for PCs Running Windows XP
Functional Specification for De-Interlacing and Frame Rate Conversion in DirectX VA
Getting Started with WDM Audio Drivers
GPD Creation for Unidrv 5
GPRS Auto-Configuration in Wireless Wide Area Networks
Guidelines for Bus and Device Specifications
Guidelines for Video-Capable Wireless Networking
Hardware Design for Surprise Removal
Hardware Management in Microsoft Windows Server 2003 "R2" Beta 2
HID Game Controllers and DirectInput
HID System Devices, DirectInput, and Windows
How to Build, Install, Test, and Debug KMDF Drivers
How to Install Windows Drivers with Software Applications
How to Update Printer Drivers Supported in Windows
How to Use an INF to Override the Monitor EDID
I/O Flow and Dispatching in WDF Drivers
I/O Ports Blocked from BIOS AML
IA-64 Systems and ACPI 2.0 64-bit Tables
IDs and Serial Numbers for ISA Plug and Play
IEEE 1394 and the Windows Platform
IEEE 802.11 Networks and Windows XP
Implementing Speakerphone-Quality Audio on Computers
INF Requirements for 64-bit Systems
Input Device Drivers and Windows
Installing and Configuring Away Mode
Installing Test Builds of Inbox Drivers on Windows Vista
Interrupt Architecture Enhancements in Windows
Introduction to Cable Architecture
Introduction to the WDF User-Mode Driver Framework
Introduction to the Windows Driver Foundation
Kernel Enhancements for Windows XP
Kernel-Mode Drivers: Fixing Common Driver Reliability Issues
Key Benefits of the I/O APIC
Low Pool Memory and Windows XP
Management of Hardware Resources
MBR System Disk Conversion for Itanium-Based Systems
MCA Implementation Guide for 64-bit Windows XP and Windows Server 2003
MCA Support in 64-bit Windows XP and Windows Server 2003
Microsoft TV Technologies
Migrating TWAIN drivers to WIA
Mobile PC Hardware Button Recommendations
Mobile System Displays and Windows: Version 1.2c
Monolithic Storage Drivers and Windows
Multifunction Printer Design Recommendations
MultiMonitor Support and Windows Vista
NDIS 5.0 and ATM Support in Windows
NDIS 5.1 Support and Windows
NDIS Driver Debugging Guidelines
NDIS Driver Tips and Guidelines
Network Driver Compatibility with the Header-Data Split Feature
Network Driver Interface Specification - NDIS 5.0 Overview
Network Drivers and Windows
Network Explorer Extensibility
Networking over IrDA in Windows XP
Non-PCM Wave Formats and WDM Audio Drivers
Output Content Protection and Windows Vista
Partial Address Decoding and I/O Space in Windows Operating Systems
PC Card and CardBus Multifunction Devices and Windows Compatibility
PC Storage Directions: The evolution of hard disk and optical solutions
PCI Express FAQ for Graphics
PCI IRQ Routing on a Multiprocessor ACPI System
PCI Multi-Level Rebalance in Windows Vista
PCI Power Management and Device Drivers
PCI Subsystem IDs and PCI-to-PCI Bridge Devices
PCMCIA IRQ Routing on Windows XP
Pen and Touch Digitizer Drivers for Windows Vista
Personalized Icons for Devices on Windows XP
Platform Compatibility for USB Boot Devices
Plug and Play for Windows 2000 and Windows XP
PnP X Out-of-Band Association
Pointer Ballistics for Windows XP
Power Management for Network Devices
PREfast with Driver-Specific Rules
QoS: Assigning Priority in IEEE 802-style Networks
Quality Windows Audio-Video Experience - qWave
Recommendations for IEEE 802.11 Access Points
Registry Reflection in Windows
Removable Storage Management and Windows
Required Commands for Writable CD/DVD Devices
Sample Drivers for the Kernel Mode Driver Framework
Security-related Best Practices for WIA Drivers
Specifications: Hardware and Firmware Standards
sRGB Color Management Case Studies
Standard Modem Command Sets and INFs
Still Image Connectivity for Windows
System Area Networks (SAN)
System State-to-Device State Mappings (SxD)
Temporal Rate Conversion: Dave Marsh. Microsoft Technical Evangelist, TV and Video
The Importance of Implementing APIC-Based Interrupt Subsystems on Uniprocessor PCs
Timeout Detection and Recovery of GPUs through WDDM
Transient Multimon Manager (TMM)
Troubleshooting Device Installation with the SetupAPI Log File
TV and Broadcast Driver Architecture
Universal Accelerated Graphics Port (UAGP)
USB 2.0 and Windows Operating Systems
USB and Game Devices - ARCHIVE
USB Handset Peripherals and Windows
USB Printers - Architecture and Driver Support
USB Printing Solutions for Windows
User-Mode Driver Framework FAQ
Versioning in the Windows Driver Foundation
Virtual Address Space Usage in Windows Game Development
WDM Human Interface Device Class Support
WDM USB Driver Interface - ARCHIVE
What's New for Plug and Play in the Windows XP DDK
Where’s the Add Hardware Wizard?
WiFi Protected Access Overview
WinColorKit: Windows Color Quality Test Kit for Device OEMs
Windows and the 5-Button Wheel Mouse
Windows Connect Now FAQ
Windows Driver Model (WDM): Compatible drivers for Microsoft Windows operating systems
Windows File Protection and Windows
Windows Hardware Error Architecture
Windows Instrumentation: WMI and ACPI
Windows Logo Program Requirement Updates - Archives
Windows Logo Requirement Updates
Windows Media Connect Device Design Considerations
Windows Native Processor Performance Control
Windows Network Task Offload
Windows Power Management: Instant PC availability and energy savings
Windows Scalable Networking Initiative
Windows Server 2003, Datacenter Edition Driver Program Overview
Windows Setup and Device Installation Logging
Windows Vista Driver Development
Windows Vista Feature Pack for Wireless
Windows XP - Guidelines for Applications
Winsock Direct and Protocol Offload on SANs
Wireless Communications and Windows
Wireless Provisioning Services (entry/EULA)
WMI and CIM Concepts and Terminology
WMI Support for SMART Drives
Write-Combining Memory in Video Miniport Drivers
Writing Drivers for Reliability, Robustness and Fault Tolerant Systems
Writing WIA Drivers for Windows 64-bit Edition for Extended Processors
Expand Minimize
1 out of 1 rated this helpful - Rate this topic

CPU Virtualization Extensions: Analysis of Rootkit Issues

Updated: October 20, 2006


A recent demonstration showed how an attacker could take advantage of new processor virtualization extension instructions to install a hypervisor-based rootkit on a system that has hardware-assisted virtualization enabled and no virtualization software installed.

This article shares Microsoft's analysis of the exploitability and seriousness of this threat and recommends configuration options to increase the security of the processor virtualization extension feature.

On This Page

The Threat: A Hypervisor-Based Rootkit   The Threat: A Hypervisor-Based Rootkit
Viability and Exploitability of the Threat  Viability and Exploitability of the Threat
Recommendations for Additional Protection  Recommendations for Additional Protection
Resources  Resources


The Threat: A Hypervisor-Based Rootkit

The threat, which was the subject of two presentations at Black Hat 2006, is that someone with administrator privileges on a system that has hardware-assisted virtualization enabled and no virtualization software installed can install a hypervisor-based rootkit. This hypervisor-based rootkit would then be running at a higher privilege level than the operating system itself. The advantage that a hypervisor-based rootkit offers to an attacker is the reduced ability of legitimate kernel-mode code to detect the attacker's hypervisor-mode code.

A system that has a legitimate hypervisor installed is not susceptible to this attack, because as soon as a hypervisor has enabled and used the processor virtualization extensions, a second hypervisor cannot use the extensions.

Viability and Exploitability of the Threat

Contrary to the presentations that describe this type of attack, a rogue hypervisor can be detected using standard rootkit detection mechanisms because the rootkit cannot protect itself from the operating system running on top of it. The claim that the hypervisor-based rootkit could be made "undetectable" would make implementing the rootkit significantly more complex for developers.

Rootkit developers have traditionally shown a strong desire to write code that runs in user mode rather than in kernel mode. Given the additional complexity of properly exploiting the processor virtualization extensions, a successful attack based on the processor virtualization extensions would challenge rootkit developers in ways that a traditional rootkit attack does not.

In addition, this attack vector is somewhat less appealing to developers than a traditional rootkit attack for these reasons:

  • A hypervisor-based rootkit cannot be run unless the attacker is already executing kernel-mode code.

  • A hypervisor-based rootkit gives an attacker no new access to user data that the attacker would not already have through a traditional kernel-mode rootkit.

  • A hypervisor-based rootkit must implement complex mechanisms and utilize secure hardware in order to protect itself from the operating system, and it must also do so in ways that avoid detection.

Although these challenges make it less likely that a rootkit developer would choose to implement a hypervisor-based rootkit, security experts agree that the most effective threat mitigations involve multiple layers of defense. We must therefore consider whether an additional protection mechanism is called for.

Recommendations for Additional Protection

Microsoft believes that it would be very valuable to have a mechanism in the system firmware to enable and disable virtualization extensions, both from the defense-in-depth perspective and to alleviate the concerns of end users. Such a mechanism could take the form of a switch in system firmware that allows a user to enable or disable the virtualization extension feature, thus protecting them from exploits on systems that will not be running a legitimate hypervisor. Given the broad publicity received by the presentations about hypervisor-based rootkit attacks, there is significant value in making this choice available to end users so that their concerns can be alleviated.

It is extremely important that any mechanism for enabling virtualization must not be accessible by unauthorized software, even local privileged software, because an attacker could take advantage of such mechanisms to turn virtualization back on.

Recommended Defaults for Enabling/Disabling Virtualization Extensions. The default setting of this switch requires some thought. Consider the costs of disabling Intel Virtualization Technology/AMD Virtualization through a system firmware setting: If these facilities are disabled by default in system firmware, users would have to explicitly enable that support on each platform instance for legitimate uses, which would represent a significant challenge for enterprises that have thousands of machines and plan on using the hardware extensions. The cost of enabling virtualization hardware support through a manual system firmware setting would result in an increase in deployment time and cost. This cost can be mitigated through the use of various in-band and out-of-band mechanisms for remote management. (More on this in a moment.)

Given the current usage model for the virtualization extensions, we believe that the following default settings are the right ones for system firmware:

  • For systems that are destined for a server role (and for only these systems), enable the virtualization extensions. The threat of running malicious code as an administrator on servers is reduced through Windows Server policies and organizational best practices.

  • For systems that are destined for a client role, disable (and lock off) the virtualization extensions.

  • For systems that might be deployed in either a server or client role (such as high-end workstations), it would be prudent to disable the extensions by default.

As always, the exception to any guideline is when a customer specifically indicates to a manufacturer that they do not want to follow that guideline.

Recommended Language for Describing Enable/Disable Functionality. Additionally, Microsoft believes that using a consistent location and consistent language to describe the enable/disable functionality in firmware setup programs has strong customer value. Given a single phrase in a standard location, operating system Setup can inform customers what action to take if they attempt to install an operating system that requires the virtualization extensions on a system that has the virtualization extensions disabled.

We recommend the following location and language for this functionality:

  • Location. The option to enable or disable the virtualization extensions should be expressed in a consistent location across system firmware implementations. We recommend that system firmware implementations place the enable/disable option in the same system firmware Setup section that displays the processor-related fields (such as "Brand String," "Speed," and "System Bus Speed").

  • Option Text. We recommend that this option be labeled "Virtualization Technology." When this option is chosen, system firmware would allow the user to enable or disable the virtualization extensions.

  • Help Text. We recommend the following help text for this option: "When enabled, a VMM can utilize the additional hardware virtualization capabilities provided by this technology."

Example Scenario for the Enable/Disable User Experience. The following scenario illustrates the user experience for this mechanism: An end user decides to re-provision a machine to take on a role that requires the virtualization extensions. As soon as Setup detects the need the virtualization extensions, it checks whether they are present and whether they are enabled or disabled. If the extensions are enabled, Setup proceeds normally. If the extensions are disabled, Setup displays a dialog box with a message such as the following:

"This installation requires the use of processor virtualization extensions which are currently disabled. Please check system firmware settings and set the Virtualization Technology option to Enabled."

Out-of-Band Enable/Disable Method for Enterprise Client Systems. Microsoft recommends that enterprise client systems be designed to take advantage of an out-of-band enable/disable method that uses Web Services for Management (WS-Management) and out-of-band management hardware. The industry-standard approach and robust security of WS-Management makes it a great tool for controlling this functionality. For a managed environment, this enables a centralized method of configuration for IT departments.

Resources

For questions about CPU virtualization extensions and the recommendations in this paper, send e-mail to MSVirtEx@microsoft.com.
Help us help you
Answer questions that we’ll use to make the Dev Center better.
Was this page helpful?
Your feedback about this content is important
Let us know what you think.
Additional feedback?
Thank you!
We appreciate your feedback.
© 2013 Microsoft. All rights reserved.