Virtualization-Based Security in Windows 10 on ARM


Virtualization-Based Security (VBS)

Virtualization-based security, or VBS, isolates and creates a secure area of memory from a normal operating system using hardware virtualization features. Windows can use the “virtual safe mode” to host a variety of safety alternatives, enhance their safety from operational system vulnerabilities and prevent the use of malicious exploits that try to overcome protections.

VBS utilizes the Windows hypervisor to build this virtual safe mode and implement constraints that safeguard critical system and OS resources, or to safeguard safety features such as authenticated user credentials. Even if malware gains access to the OS kernel, the enhanced protection provided by VBS may limit and contain potential risks, as the hypervisor can avoid malware from executing software or accessing system secrets.

One such instance is the Hypervisor-Enforced Code Integrity (HVCI), which utilizes VBS to enhance code integrity policy enforcement substantially. The integrity of the kernel mode controls all of the switches and binaries in the kernel mode and avoids the loading of unsigned drivers or system files into system memory.

Similarly, before loading, user mode configurable code integrity policy checks apps and starts only executables signed by recognized, authorized signers. In a safe setting, HVCI uses VBS to operate the code integrity service, offering greater protection against malware and kernel viruses. The hypervisor, which is the most privileged system software level, sets and implements page permissions throughout all system memory.

Pages are only executable after code integrity controls have been completed within the secure region and executable pages cannot be written. Even when vulnerabilities such as a buffer overflow allow malware to try and alter memory, the code pages cannot be changed and the modified memory cannot be executed.

For Windows 10, section 1903 (OS build 18362.383) a virtualization-based safety is accessible on supported ARM systems operating on the Qualcomm’s Snapdragon 850 platform and subsequent versions.

When this safety function is activated, you may encounter the following problems if the system is unsafe:

  • Fingerprint authentication stops because fingerprint authentication information is cleared to safeguard your privacy.
  • Videos that are protected from Digital Rights Management (DRM) cannot be performed.

The following table lists circumstances that could imply that the system is unsecured. The table also lists the techniques for reversing the system from this state.

Note:To use authentication of fingerprint, clear your current information and re-set fingerprint authentication. Before doing this, we suggested that you return your system to a safe setup.

ConditionReversion method
Failure to check or enforce the Security Version Number (SVN) of a System Guard Secure Launch process during a secure startupInstall the latest version of Windows through Windows Update
Startup debugging is being enabledEnable Secure Boot
Test-signed code is not completely disabled for executionEnable Secure Boot
Microsoft hypervisor self-check detects certain unsafe settings

Run the following cmdlets to disable the hypervisor debugger and delete the hypervisor load options:

  • bcdedit /set hypervisordebug off
  • bcdedit /deletevalue hypervisorloadoptions
Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.