![]() ![]() When these capabilities are handled by Trustlets in VSM, the Host OS simply communicates with them through standard channels and capabilities inside of the OS. At the time of writing, we support three capabilities that can reside here: the Local Security Authority (LSA), and Code Integrity control functions in the form of Kernel Mode Code Integrity (KMCI) and the hypervisor code integrity control itself, which is called Hypervisor Code Integrity (HVCI).Įach of these capabilities (called Trustlets) are illustrated below: This is the same way to two virtual machines on the same host cannot interact with each other their memory is independent and hardware regulated to ensure each VM can only access it’s own data.įrom here, we now have a protected mode where we can run security sensitive operations. The protections are hardware assisted, since the hypervisor is requesting the hardware treat those memory pages differently. In this way, the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode. ![]() In VSM, we’re able to extend this by tagging specific processes and their associated memory as actually belonging to a separate operating system, creating a ‘bubble’ sitting on top of the hypervisor where security sensitive operations can occur, independent of the host OS: The hypervisor serves to abstract the host OS (and any guest OS or processes) from the underlying hardware itself, providing control and scheduling functions that allow the hardware to be shared. ![]() The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware, rather than the host OS (Windows) directly interacting at that layer. The diagram below illustrates the relationship of the hypervisor with the installed operating system (usually referred to as the host operating system) As part of boot, the hypervisor loads and later calls the real 'guest' OS loaders. Only the hypervisor itself is required, the Hyper-V services (that handle shared networking and the management of VMs themselves) and management tools aren't required, but are optional if you’re using the machine for ‘real’ Hyper-V duties. The way this works is the Hyper-V hypervisor is installed - the same way it gets added in when you install the Hyper-V role. VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities. Anytime we’re using virtualization extensions to provide security, we're essentially talking about a VBS feature. We call this class of technology Virtualization Based Security (VBS), and you may have heard that term used elsewhere. VSM is a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. The first technology you'll need to understand before we can really dig into either Device Guard or Credential Guard, is Virtual Secure Mode (VSM). It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client. Let's dive in and take a logical approach to understanding each. The two are different, but complimentary as they offer different protections against different types of threats. Its focus is preventing malicious code from running by ensuring only known good code can run.Ĭredential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other.įirst, let's set the foundation by thinking about the purpose of each feature:ĭevice Guard is a group of key features, designed to harden a computer system against malware. However, the key benefits of Windows 10 involve these deep security features. While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |