Above Ring Zero
- Inherits: Two things. First, the VTL0/VTL1 split and the rule that VTL0 holds no mapping for VTL1's pages (Chapter 6, The Secure Kernel), which this chapter now examines from beneath, as the enforcer. Second, a measured, signed launch: Secure Boot refused unsigned boot code (Chapter 1, Secure Boot), Measured Boot extended each stage's hash into the TPM's PCRs (Chapter 4, Measured Boot; Chapter 2, The TPM), and Attestation let a remote party believe the record (Chapter 5, Attestation), so the hypervisor binary itself started under conditions that were verified, not assumed.
- Promise: A program at a CPU privilege the NT kernel cannot reach (VMX root operation / SVM host mode) owns the second-level page tables. Inside the root partition, VTL0 ring-0 code (including the kernel running as
SYSTEM) cannot read, write, or execute VTL1 memory. Separately, an L1 child guest cannot escape to the root partition or reach another guest through the Hyper-V boundary. Serviced boundaries: VTL0→VTL1 (VBS) and L1-guest→host/guest (Hyper-V), both of which Microsoft commits to defending with a security update; root-partition admin remains hypervisor-admin in that threat model. - TCB: The hypervisor binary (
hvix64.exe/hvax64.exe) and the per-VTL SLAT, intercept, SynIC, and hypercall machinery it owns; the root partition's privileged device-emulation and management stack, where a kernel-mode bug is hypervisor-equivalent; the firmware/DRTM launch state and the update pipeline that decides which hypervisor build runs. The NT kernel the attacker can own is explicitly outside it. - Adversary → Break: Structured guest-controlled input is parsed at three seams: root-partition device emulation (
vmswitch.sys), the hypercall ABI dispatcher, and the VTL0→VTL1 secure-call entry. Those three seams produced six public CVEs across three classes since 2018. The Promise covers architectural mediation of memory and partitions, not parser bugs, side channels, DMA below the CPU, or rollback to an old signed build. - Residual: Firmware/SMM below the hypervisor → Secure Boot (Chapter 1) and the DRTM measurement described here; microarchitectural side channels and the host-visibility model → Confidential VMs (Chapter 28); IOMMU/DMA bypass → Kernel DMA Protection (a Windows kernel/driver/firmware policy system backed by IOMMU state the hypervisor participates in) with firmware handoff back to Secure Boot (Chapter 1); hypervisor rollback/downgrade → The Secure Kernel (Chapter 6); what runs inside VTL1 → VBS Trustlets (Chapter 7); credential use once the secret is isolated → Credential Guard (Chapter 15).
- Bequeaths: The enforced VTL0→VTL1 boundary and the five primitives every VBS feature composes. The floor VBS Trustlets (Chapter 7) fills with secure-world processes, Code Integrity (Chapter 8) rides to make kernel pages immutable, and Credential Guard (Chapter 15) spends to put selected long-term credential material behind LSAISO/VTL1. Does NOT provide: a bug-free hypercall or secure-call parser, freedom from side channels or DMA below the CPU, a guarantee the current hypervisor build is the one running, or any policy about what VTL1 decides.
- Proof: 🔵 documented at the point of claim:
bcdedit,Win32_DeviceGuard,systeminfo, andGet-ComputerInfosurfaces (Microsoft Learn), the TLFS hypercall/VSM contract, and the public CVE record. No lab capture exists for this chapter; its evidence is honestly labeled.
The Reasoner's question. What does Hyper-V's hypervisor actually enforce, why is the boundary serviceable, and what remains when the bottom turtle has a bug?
Chapter thesis.
The Windows hypervisor is the program that runs beneath the Windows kernel. It runs at a privilege level the kernel cannot reach and owns the page tables that decide which memory the kernel may even see. Virtualization-Based Security, Credential Guard, HVCI (Memory Integrity in Windows Security), Application Control, VBS Enclaves, and System Guard Secure Launch are all built by composing five primitives the hypervisor exposes: partitions, hypercalls, intercepts, SynIC, and per-VTL SLAT. The substrate is real and serviced, with a public CVE record across several recent years; the residual attack surface (firmware below, side channels above, IOMMU bypass beside, hypervisor rollback) is where Windows security still earns its hardest miles.
Why Above Ring Zero matters
On a Windows 11 machine where VBS is running and the relevant VBS-backed services are also running (Credential Guard, HVCI/Memory Integrity, and any WDAC/App Control policy the fleet requires) a kernel-mode driver with full Ring-0 privilege loses authorities that older Windows kernels treated as absolute. It cannot read the selected long-term credential material isolated in LSAISO/VTL1. It cannot make arbitrary unsigned or policy-denied kernel code executable under HVCI/WDAC. It cannot patch protected ntoskrnl.exe code pages behind the VTL1 code-integrity path, and it cannot turn HVCI off in-place without changing boot policy and rebooting. None of this is enforced by the NT kernel alone. It is enforced by a different program: one that launches before the NT kernel, runs at a privilege level the Windows kernel cannot reach, and owns the page tables that say which memory the Windows kernel may even see. That program is the Windows hypervisor [406,322,87].
The intuition this fact violates is older than most readers' careers. "SYSTEM owns the box." Every introductory security course teaches it. Local administrator escalates to SYSTEM, SYSTEM loads a driver, the driver runs in the kernel, and the kernel can do anything to the machine. That model is correct for a Windows installation running without Virtualization-Based Security. It is wrong, in three specific and load-bearing ways, for a Windows installation that has VBS turned on.
Definition: Virtualization-Based Security (VBS). A Windows security architecture that uses the Hyper-V hypervisor to create a small, isolated execution environment alongside the normal Windows operating system. The hypervisor allocates a portion of memory, configures its second-level page tables to make that memory unreadable and unwritable from normal kernel mode, and runs Microsoft-signed code there (the Secure Kernel and isolated user-mode trustlets) that the regular NT kernel cannot reach. Credential Guard, HVCI, Application Control, and System Guard all sit on top of this primitive [322].
The binary in question is named hvix64.exe on Intel hosts and hvax64.exe on AMD hosts.
Sidebar. Loose security writing sometimes calls the hypervisor's privilege level "Ring -1." That phrase is colloquial. Intel's manuals say "VMX root operation"; AMD's manuals say "SVM host mode." Both terms denote a CPU operating mode that sits architecturally outside the four-ring privilege stack the guest OS sees, not a fifth ring inside it.
It is launched by hvloader.efi during the Windows OS-loader path, before the NT kernel runs. By the time the Windows boot manager hands control to the NT kernel, the hypervisor has already configured the CPU's virtualization extensions, allocated its own private memory, taken ownership of the IOMMU, and set up the per-partition second-level page tables that decide which physical pages each partition can see [407]. From the NT kernel's point of view, the machine starts up already inside a guest partition. There is no escape upward.
This chapter is about the program that runs beneath the kernel. The Secure Kernel chapter (Chapter 6) carved out VTL1; the Code Integrity chapter (Chapter 8) made kernel pages immutable; the Credential Guard chapter (Chapter 15) isolated selected long-term credential material. Each describes a policy (the Secure Kernel enforces code integrity, Credential Guard isolates the credential) and none of those policies would be enforceable without a piece of software running at a privilege level the policy's adversary cannot reach. The hypervisor is that piece of software, and "security primitive" is how Microsoft, the security research community, and the bug-bounty market all describe its current role.
Five questions organize what follows. Why the hypervisor became a security primitive: the architectural failure of Ring-0 defenses that Microsoft fought for a decade and finally gave up on in 2015. How it became one, in three steps: Popek and Goldberg's 1974 virtualizability theorem; Intel VT-x and AMD-V in the 2005-2006 hardware generation [408,409]; and David Hepkin and Arun Kishan's 2013 patent on hierarchical Virtual Trust Levels [410]. What it enforces, feature by feature, with the hypervisor primitive that backs each: HVCI rides on per-VTL SLAT; Credential Guard rides on SynIC plus the secure-call ABI; System Guard Secure Launch rides on DRTM [104]. Where it has actually failed in public. Six worked CVEs across three distinct attack classes, all narrowly localized. And what is structurally outside its mandate: firmware below the hypervisor, microarchitectural side channels above it, IOMMU bypass beside it, and hypervisor rollback through the update pipeline.
The story is half engineering and half conceptual inversion. How did a server-consolidation hypervisor that shipped in 2008 with Windows Server 2008 (a product whose original marketing pitch was "run more VMs per box") become the architectural substrate beneath so many load-bearing Windows security boundaries in 2026? The answer begins in 1974, with a paper that defined what a hypervisor even is. But the political and engineering thread begins five years before that, in San Mateo, California.
Origins: Connectix to Viridian to Hyper-V
Microsoft entered the virtualization market three years late and by acquisition. On February 19, 2003, the company bought Connectix, a small San Mateo software house founded in 1988 that had built Virtual PC for Macintosh and, later, Virtual PC for Windows. The Connectix engineers became the nucleus of what Microsoft would internally call the Windows Server Virtualization team. The acquired products shipped as Microsoft Virtual PC 2004 and Microsoft Virtual Server 2005. Both were Type-2 hypervisors: user-mode applications that ran on top of Windows, using software techniques rather than CPU virtualization extensions, because the CPU virtualization extensions did not yet exist on shipping x86 hardware.
Definition: Type-1 hypervisor. A hypervisor that runs directly on hardware rather than as an application on top of a host operating system. The hypervisor owns the CPU, the second-level page tables, and (in the security-relevant case) the IOMMU; guest operating systems run at a lower privilege level, in partitions or virtual machines that the hypervisor schedules and isolates. IBM's CP-67/CMS in 1968 is the genre's historical ancestor; VMware ESX, Xen, and the Microsoft hypervisor (hvix64.exe/hvax64.exe) are modern examples [406,411].
In 2005, the team began a new project under the codename "Viridian." The goal was a Type-1 micro-kernelized hypervisor for x86-64 (a fresh build, not a derivative of Virtual Server) that required hardware virtualization extensions at install time. By the time Hyper-V was ready, Intel VT-x and AMD-V were shipping broadly enough that Microsoft could make hardware virtualization a system requirement rather than a configuration option [408,409]. Three years later, on June 26, 2008, Hyper-V reached RTM and was delivered as a Windows Server 2008 feature through Windows Update [412].
Sidebar. Microsoft ships two hypervisor binaries: hvix64.exe for Intel hosts (using VT-x) and hvax64.exe for AMD hosts (using AMD-V). The instruction-set-architecture divergence is real (Intel uses vmcall to enter the hypervisor; AMD uses vmmcall) but the hypercall ABI surface above that single instruction is identical, so the rest of the Microsoft hypervisor codebase is shared between the two binaries.
The 2008 design choices are worth naming individually because the ones that mattered for server consolidation turned out, twelve years later, to also be the ones that mattered for security. Three deserve flagging:
- Micro-kernelized architecture. The hypervisor binary contains only the minimum machinery needed to virtualize the CPU, schedule VMs, and enforce memory isolation. It does not contain device drivers. It does not contain a network stack. It does not contain a filesystem.
- Root partition plus child partitions. From the Microsoft architecture documentation: "The Microsoft hypervisor must have at least one parent, or root, partition, running Windows. The virtualization management stack runs in the parent partition and has direct access to hardware devices. The root partition then creates the child partitions which host the guest operating systems" [406]. The root partition is a full Windows install; the child partitions are guest VMs.
- VMBus, VSP, and VSC. Inter-partition I/O happens over the VMBus: a paravirtualized message channel. A Virtualization Service Provider (VSP) runs in the root partition and owns the real device; a Virtualization Service Client (VSC) runs in each child partition and talks to the VSP over VMBus. Device emulation lives in the root partition's user-mode and kernel-mode code, not in the hypervisor binary itself. This is the choice that, twelve years later, kept the hypervisor's Trusted Computing Base small enough to be defensible.
Walkthrough: the 2008 Hyper-V stack. Start at the bottom with hardware: cores, DRAM, interrupt controllers, DMA-capable devices, and the IOMMU. The Microsoft hypervisor is the first Windows-controlled layer above that hardware. It schedules virtual processors, owns the second-level page tables, routes interrupts, and exposes hypercalls; it does not contain a NIC driver, a disk parser, or a graphics stack. Above it sits the root partition, a full Windows instance with real device drivers, Virtualization Service Providers, VM worker processes, and privileged management services. Child partitions sit beside one another above the same hypervisor. A child network packet therefore crosses four trust domains: guest NDIS and the synthetic NIC VSC; VMBus and SynIC signaling; the root-partition network VSP and vmswitch.sys; then the physical NIC driver. The hypervisor is on the path for scheduling, memory isolation, and notification, but the root partition owns most device-shaped parsing. That division is the design fact behind the later CVE record.
The micro-kernel, root-plus-child, and VMBus choices were defensible server engineering. Their server engineering rationale was that emulating a NIC, or a SCSI controller, or a graphics adapter inside a hypervisor binary would balloon the binary's size, lock its code-review cycles to those of every device the company shipped, and force the same security-critical code that scheduled CPUs to also handle Ethernet frame parsing. Putting device emulation in a normal Windows process inside the root partition (the VM Worker Process vmwp.exe) meant the hypervisor binary could stay small enough to reason about.
The 2008 design goal was, again, server consolidation. Microsoft's positioning materials at the time named "run more VMs per box, get better hardware use" as the customer pitch. Nothing in the 2008 Hyper-V documentation describes the hypervisor as a security primitive for the host OS. The security re-purposing (the moment Hyper-V's hardware-privilege isolation became the way Windows itself protected its own kernel from itself) did not arrive until 2015. To understand why it arrived at all, we have to back up thirty-four years to a 1974 paper that defined what virtualization formally requires.
The theoretical anchor: Popek, Goldberg, and SLAT
Before Microsoft could build a hypervisor that ran security-critical code at a higher privilege than the Windows kernel, two unrelated decisions had to land. One was made in 1974, by two researchers who would never see Windows. The other was made in 2005, by Intel.
In July 1974, Gerald Popek of UCLA and Robert Goldberg of Harvard published "Formal Requirements for Virtualizable Third Generation Architectures" in Communications of the ACM. The paper laid down three properties any "true" virtual machine monitor must satisfy:
- Equivalence. Programs run on the VMM exhibit behavior essentially identical to behavior on the bare machine, except for differences due to timing and resource availability.
- Resource control. The VMM, not the guest, controls the system resources: CPU time slices, memory, devices.
- Efficiency. A statistically dominant subset of the instruction stream executes directly on hardware, without VMM intervention.
The theorem that gave the paper its lasting reputation followed from those properties. Let a sensitive instruction be one that either reads or modifies privileged state (the processor's mode bits, page-table base register, interrupt mask). Let a privileged instruction be one that traps when executed in user mode. Then a sufficient condition for an ISA to be virtualizable is that every sensitive instruction is privileged. The intuition is simple: the VMM must get a chance to see (and to handle) every guest action that touches the machine's privileged state. If the CPU silently lets the guest do something privileged-feeling without trapping, the VMM cannot maintain equivalence and control simultaneously.
Definition: Popek-Goldberg virtualizability. A property of a processor architecture: every sensitive instruction in the instruction set is privileged. An architecture with this property can be virtualized "classically": with a thin trap-and-emulate hypervisor whose only entry points are the traps the CPU raises on privileged-instruction violations. An architecture without this property requires software workarounds (binary translation, paravirtualization) or hardware extensions (VT-x, AMD-V) before a Popek-Goldberg-style VMM can be built.
For three decades, x86 was famously not virtualizable in the Popek-Goldberg sense. John Robin and Cynthia Irvine enumerated the problem in their 2000 USENIX Security paper: seventeen protected-mode instructions on the IA-32 architecture either read or modified privileged state without trapping from user mode [411].
Sidebar. The Robin and Irvine enumeration includes instructions like SGDT (store global descriptor table register), SIDT (store interrupt descriptor table register), SLDT (store local descriptor table register), SMSW (store machine status word), and PUSHF/POPF (push/pop flags including IOPL). Each of these silently returned or accepted privileged state when executed from a deprivileged ring without raising a fault, and critically not only from Ring 3 user mode but from a guest kernel running at Ring 1 under a classical software VMM. The aggregate effect was that no classical Popek-Goldberg VMM could correctly virtualize an unmodified x86 guest: every one of those seventeen instructions was a hole the VMM could not see through.
VMware Workstation, released in 1999 by VMware Inc. (which had been founded the year prior by Mendel Rosenblum, Diane Greene, Scott Devine, Edward Wang, and Edouard Bugnion), worked around the problem with binary translation: it dynamically rewrote each protected-mode guest instruction stream to substitute or trap the seventeen offenders. The technique imposed double-digit overhead, made debugging miserable, and was a security liability in its own right: the binary translator itself was a parser of arbitrary attacker-controlled code.
Intel and AMD ended the problem in hardware. Intel VT-x and AMD-V added a new CPU mode (VMX root operation for Intel, SVM host mode for AMD) and a new instruction-emulation mechanism [408,409]. A VM exit could be configured to fire on every sensitive instruction the hypervisor wished to intercept, transferring control to the host with a structured exit reason and an opaque, host-controlled snapshot of guest state. After 2006, x86-64 became Popek-Goldberg-virtualizable in hardware [411,408,409].
Walkthrough: one sensitive instruction. A guest kernel writes a new value to CR3, intending to switch address spaces. On bare metal that would immediately change the active page-table root. Under VT-x, the guest is in VMX non-root operation and the VMCS control fields say whether MOV CR3 exits. The CPU saves guest state into the VMCS, records an exit reason and qualification, switches to VMX root operation, and enters the hypervisor's VM-exit handler. The hypervisor validates the requested guest page-table base, updates the guest-visible CR3 shadow or the nested-translation state it maintains for that virtual processor, flushes or tags translation caches as required, and resumes the guest with VM-entry. The guest observes ordinary x86 semantics; the hypervisor preserved resource control by seeing the sensitive transition before it took architectural effect.
One architectural element more was needed before any of this could be a security primitive rather than just a virtualization primitive. Classical x86 paging maps a guest virtual address to a physical address through a single CPU-walked page table. In a virtualized system that single table cannot be enough, because the guest needs its own virtual-to-physical map and the host needs to remap the guest's "physical" address to a real machine-physical address. The first generations of VT-x simulated this two-level mapping in software through shadow page tables, which the hypervisor had to maintain alongside the guest's tables on every page-table edit. Shadow paging was correct but slow, and it gave the hypervisor no clean way to enforce a different memory map for different parts of the same guest.
Second-Level Address Translation (SLAT): Intel's Extended Page Tables (EPT, shipped with Nehalem in November 2008) and AMD's Nested Page Tables (NPT, shipped with the Barcelona-generation Opteron on September 10, 2007): solved both problems in hardware. The guest walks its own page table from virtual to "guest physical"; the CPU then walks a second, hypervisor-owned page table from "guest physical" to "system physical." Two key properties follow. First, the hypervisor has exclusive control of the second-level mapping; the guest cannot read, write, or even know that it exists. Second, because the second-level mapping is per-partition, the hypervisor can give two partitions different views of the same machine physical memory: the same page can be readable in one partition and entirely absent in another.
Definition: Second-Level Address Translation (SLAT). A hardware feature on Intel (EPT) and AMD (NPT) CPUs that lets the hypervisor maintain a second page table mapping guest-physical addresses to system-physical addresses. The CPU walks the guest's own page table for the virtual-to-guest-physical mapping, then walks the hypervisor's table for the guest-physical-to-system-physical mapping. Because the second table is hypervisor-controlled and per-partition, the hypervisor can give different partitions (and, in VBS, different Virtual Trust Levels inside the same partition) different views of physical memory. SLAT is the bedrock of VTL memory protection [407].
Hyper-V required VT-x or AMD-V at install time from day one. Client Hyper-V has required SLAT since Windows 8; SLAT became a general Hyper-V requirement with Windows Server 2016 and Windows 10 1607 [406].
Popek and Goldberg gave us the property. Intel and AMD gave us the hardware. Microsoft used both to build a server hypervisor in 2008. But for the first seven years of Hyper-V's life, none of that machinery protected Windows from itself. Microsoft hadn't yet noticed the architectural problem that made it necessary, or rather, they had noticed the problem (PatchGuard's bypass record was public) and had not yet conceded that the problem was structural. The concession came in 2015. What forced it was the same-privilege paradox.
The same-privilege paradox. why PatchGuard was never enough
PatchGuard, which Microsoft shipped in 2005 with Windows Server 2003 SP1 x64, ran inside ntoskrnl.exe at Ring 0 and scanned a curated list of kernel structures (the system service dispatch table, the interrupt descriptor table, the kernel image's .text section) at randomized intervals to detect tampering. It was bypassed within months by skape and Skywing's Uninformed writeups [367]. Microsoft kept shipping it. Researchers kept bypassing it. The pattern lasted a decade. The reason is not that PatchGuard's authors were sloppy. The reason is structural, and naming it correctly is the first of the three insights this chapter is built around.
Key idea. Any defense reachable by mov from Ring 0 is defeasible by mov from Ring 0.
The intuition is simple. PatchGuard is a piece of code. It lives in the kernel's virtual address space at some page. It owns a timer that re-runs it periodically. It maintains a randomization seed for which structures it checks next. It has a callback path into KeBugCheckEx if it detects tampering. Every one of those four assets (the code page, the timer callback, the randomization seed, the bug-check path) is a kernel data structure or a kernel virtual address. An attacker with Ring-0 code execution can locate each of them by searching the same kernel address space PatchGuard searches. They can patch the callback so the timer no-ops. They can patch the seed so the randomization is predictable. They can patch the bug-check path so it reports success. They can do all of this with a sequence of plain mov instructions. PatchGuard cannot defend against this, because PatchGuard's defenses live in the same place its attacker's writes do.
PatchGuard and its attacker are colleagues, not adversaries. They share an office. The office is
ntoskrnl.exe's virtual address space, and there is no key on the door.
This is the same-privilege paradox. It is not an implementation bug. It does not yield to better obfuscation, more randomization, or harder-to-find timers. It is an architectural ceiling. A defense at privilege level cannot be enforced against an attacker who also runs at privilege level , because the defender's state lives in the attacker's address space. The defender can be made expensive to find; it cannot be made impossible to find, because the attacker has the same instructions, the same address-space view, and the same MMU privileges as the defender.
A ceiling, not a bug. The same-privilege paradox is a property of where the defense lives, not of how clever the defense is. PatchGuard's authors did add randomization. They did add multiple decoy callbacks. They did add cryptographically derived integrity checks. None of those reductions changes the basic fact that the attacker, holding the same Ring-0 privilege, can locate and edit each of them. The architectural fix is not better PatchGuard. The architectural fix is moving the defender to a privilege level the attacker cannot reach.
Once the paradox is named, the defender's choice is binary. Either give up on having a defense at all (treat Ring 0 as a free-fire zone where any malware that gets there has won) or move the defender to a privilege level above Ring 0, at a hardware boundary the attacker's mov instructions cannot cross. Microsoft picked the second. It is the only architecturally honest choice.
To make it work, Microsoft needed three things. The first was a production hypervisor already shipping, serviced, and familiar to Windows engineering. Microsoft had that in Windows Server since 2008, and later made it broadly available enough on client-capable hardware to become a Windows security substrate. The second was a way to put a piece of Windows itself (code, data, secrets) inside the hypervisor's protection without spawning a separate VM, because spawning a separate VM doubles the system's resource cost and forces every Windows process to choose between living on the normal side or the secure side. That required an architectural idea that did not yet exist in 2010: a way to split a single partition into two privilege levels, each with its own SLAT mapping and its own register state. The third was a way to ensure the hypervisor itself could not be silently replaced or rolled back beneath the OS. That required a hardware-rooted measurement (a DRTM event) that the OS could attest to.
The architectural idea (splitting one partition into hierarchical Virtual Trust Levels) is the subject of the VSM/VTL section ahead. The DRTM measurement returns when System Guard Secure Launch enters the composition table, and again at the firmware residual. Both of them required a decade-long conversation about whether the hypervisor itself could be trusted at all: a conversation that ran in parallel during the same years and that briefly seemed to argue the opposite case. We turn to that conversation next.
The hyperjacking era: SubVirt, Blue Pill, and CloudBurst
While Microsoft was finishing Hyper-V, the security community was establishing that a hypervisor was not just a defense. It was also the most powerful possible attacker against the OS sitting above it. Three demonstrations in three years made the point unmistakable.
SubVirt. In May 2006, Samuel King and Peter Chen at the University of Michigan, joined by Yi-Min Wang, Chad Verbowski, Helen Wang, and Jacob Lorch at Microsoft Research, presented "SubVirt: Implementing Malware with Virtual Machines" at IEEE S&P [413]. Their construction was a Virtual Machine Based Rootkit (VMBR). A privileged installer running inside a legitimate OS installed a malicious VMM at boot time; on the next reboot, the malicious VMM ran first, brought up the original OS as a guest underneath it, and gained the privileged position of seeing every CPU instruction, every memory access, and every I/O the OS performed. The original OS had no architectural way to tell it was no longer the most-privileged software on the box. SubVirt was demonstrated against Windows XP (using Microsoft Virtual PC as the malicious VMM substrate) and against Linux (using VMware Workstation), specifically to show that the technique was not tied to any one operating system or any one hypervisor product.
Blue Pill. Three months later, at Black Hat USA 2006, Joanna Rutkowska of COSEINC demonstrated "Subverting Vista Kernel for Fun and Profit" [414]. Her tool, codenamed Blue Pill, took a step beyond SubVirt by doing the VMM insertion at runtime rather than at boot. The technique: a Ring-0 driver, running inside an already-booted Windows install on an AMD-V capable host, executed VMRUN against an attacker-controlled Virtual Machine Control Block (VMCB) whose initial state matched the current physical CPU. The CPU dropped out of SVM host mode and re-entered as a guest under the attacker's VMM. The OS continued running normally, with no boot-loader modification and no reboot.
By 2007, Rutkowska and Alexander Tereshkin returned to Black Hat USA with the more polished "IsGameOver(,) Anyone?" presentation, refining the technique and addressing the early critics' detection ideas [414].
Sidebar. Rutkowska's marketing claim that Blue Pill was "100% undetectable" attracted a public counter-effort: in 2007, Edgar Barbosa, Nate Lawson, Peter Ferrie, and Tom Ptacek all proposed detection techniques relying on side channels (timing artifacts of trapped instructions, TSC skew, structural differences in how RDTSC behaves under VT-x). The claim softened in subsequent publications, but the underlying point survived: a hostile thin hypervisor below a victim OS can be made arbitrarily difficult to detect from inside that OS, and the only architecturally clean way to know what you are running under is to measure the boot chain before the OS starts.
CloudBurst. At Black Hat USA 2009, Kostya Kortchinsky of Immunity Inc. presented CLOUDBURST. It was the first publicly demonstrated arbitrary-code-execution guest-to-host escape against a commercial hypervisor: a heap overflow in VMware's emulated SVGA-II graphics adapter, tracked as CVE-2009-1244 [415]. A guest VM, executing entirely inside a VMware-managed user-mode process on the host, could overflow a buffer in that process and gain host code execution. CloudBurst's lasting operational lesson was not the specific bug but the attack surface: device emulation (not the trap-and-emulate core of the hypervisor) is often the largest piece of guest-attacker-controlled code in a commercial VMM. In the Hyper-V public cases reviewed in this chapter, the serviced guest-to-host failures land either in that device-emulation/root-partition surface or in the hypercall input-validation surface that mediates the same kind of structured guest-controlled input.
Walkthrough. The hyperjacking move. Before the attack, the operating system owns what it thinks are machine page tables, interrupt routing, and privileged CPU state. The hostile VMM's goal is not to replace the OS but to slide underneath it. At boot-time, that means arranging for malicious monitor code to run before the OS and then launching the OS as a guest. At runtime, the Blue Pill-style move is more dramatic: enable hardware virtualization, create a virtual-machine control block for the already-running OS, copy enough CPU state into that control block that the OS can continue, and resume it in non-root/guest mode. From that point on, every privileged instruction, interrupt, and second-level translation can be mediated by the hostile monitor. The lesson for Windows is symmetrical: if a malicious VMM below the OS is terrifying, a measured, vendor-serviced VMM below the OS can be a security primitive.
The three demonstrations established a difficult dual truth. The hypervisor is the most powerful defender against an OS-level attacker, and it is the most powerful attacker against an OS-level defender. The same primitive can play either role; which role it plays in any given system depends only on whose hypervisor it is and whether the OS above it can prove that. SubVirt-style attacks did not require Microsoft to invent anything new (they only had to be a possibility) to force Microsoft into a design constraint: any "hypervisor as security primitive" architecture has to start by being the only hypervisor on the box, with a measurement of the hypervisor binary recorded in a TPM platform configuration register (Chapter 2, The TPM) so that any malicious VMBR underneath could be detected at attestation time. This is the role that System Guard Secure Launch (DRTM) plays in the architecture; we return to it when the composition table reaches Secure Launch.
The same primitive, two roles. Blue Pill (offense) and VBS (defense) are architecturally identical. Each is a thin Type-1 hypervisor that interposes between firmware and OS. Each owns the CPU's virtualization mode, the second-level page tables, and the IOMMU. Each is invisible to the OS unless the OS can prove what is underneath it. The only differences between them are whose hypervisor it is, whether it was measured at load time, and what it does with its privilege. The defense is the offense, run by the right people, in the right order, and attested to.
By 2010 the security community had agreed: the hypervisor is the most powerful primitive in the system, and whoever owns the SLAT page tables owns the box. Joanna Rutkowska's Invisible Things Lab launched Qubes OS, an explicitly hypervisor-rooted security OS, on April 7, 2010 [416]. Microsoft owned the SLAT page tables. They had a production Windows hypervisor. They had a server-consolidation product. What they did not yet have was a reason to re-purpose any of it for security. The reason was already being filed at the United States Patent and Trademark Office. The priority date was September 17, 2013.
The pivot: VSM, VTLs, and the Hepkin-Kishan patent
On September 17, 2013, David Hepkin and Arun Kishan filed provisional application 61/879,072, later prosecuted as United States patent application 14/186,415, which would issue on August 30, 2016 as US Patent 9,430,642 B2 [410]. The patent's title, "Providing virtual secure mode with different virtual trust levels," reads like marketing now because the words it introduced ("Virtual Trust Level," "VTL," "Virtual Secure Mode") became Microsoft's own canonical terminology. In 2013 the words did not exist. The patent describes, in 2013, exactly what Microsoft shipped twenty-two months later in Windows 10 build 10240 [322].
The patent's claim language is unusually specific. It teaches a virtual-machine manager that makes "multiple different virtual trust levels available to virtual processors of a virtual machine"; it teaches that "different memory access protections (such as the ability to read, write, and/or execute memory) can be associated with different portions of memory (e.g., memory pages) for each virtual trust level"; and it teaches that "the virtual trust levels are organized as a hierarchy with a higher level virtual trust level being more privileged than a lower virtual trust level." Each of those phrases is now a feature of the shipping Microsoft hypervisor.
Definition: Virtual Trust Level (VTL). A hypervisor-managed privilege level inside a single partition. Each VTL has its own SLAT mapping (so the same machine page can be readable in one VTL and absent in another), its own virtual-processor register state (so a VTL transition is a context switch, not a procedure call), and its own interrupt subsystem (so interrupts targeted at one VTL do not preempt code running in another). VTLs are hierarchical: a higher VTL can read all of a lower VTL's memory, but not vice versa. The shipping Microsoft hypervisor implements two VTLs (VTL0 = Normal world, VTL1 = Secure world); the architecture admits up to sixteen [322].
Windows 10 availability on July 29, 2015, and Windows Server 2016, brought VBS onto the existing Hyper-V hypervisor line [417,322]. The architectural innovation (the thing the patent was for) was that VTL0 (Normal world, containing the NT kernel, user mode, and LSASS) and VTL1 (Secure world, containing the Secure Kernel and Isolated User Mode trustlets) ran inside the same partition rather than in two separate partitions. VBS is not a second VM. It is a per-VTL SLAT split inside the root partition, plus a per-VTL register-state snapshot, plus a per-VTL interrupt delivery surface. The hypervisor switches SLAT contexts on VTL transitions, exactly as it would switch SLAT contexts on a partition switch, but the switch happens inside a single partition's address space, so there is no extra VM scheduling and no extra OS image to manage.
Walkthrough. One secure call. Inside the root partition, VTL0 contains the NT kernel, drivers, lsass.exe, and ordinary applications. VTL1 contains securekernel.exe and Isolated User Mode trustlets such as LSAISO.EXE and VMSP/vTPM components. When VTL0 needs a protected service, it writes a request into a shared parameter page whose layout the Secure Kernel expects, signals the VTL-transition path through SynIC/hypercall machinery, and yields. The hypervisor saves the VTL0 register set, switches to the VTL1 SLAT view, delivers the notification, and lets the Secure Kernel dispatch the service. The trustlet reads only the shared parameters and its own VTL1-private state. On return, the hypervisor restores the VTL0 view. The important fact is not the message format; it is that the caller never receives a mapping of VTL1 private memory.
The Hyper-V Top-Level Functional Specification, chapter 15, names the architectural facts verbatim. "VSM achieves and maintains isolation through Virtual Trust Levels (VTLs). VTLs are enabled and managed on both a per-partition and per-virtual processor basis." "Virtual Trust Levels are hierarchical, with higher levels being more privileged than lower levels." "Architecturally, up to 16 levels of VTLs are supported; however a hypervisor may choose to implement fewer than 16 VTL's. Currently, only two VTLs are implemented." The C-level definition #define HV_NUM_VTLS 2 is published in the same specification [322]. Two VTLs are what ships; the architecture has room for more.
VSM enables operating system software in the root and guest partitions to create isolated regions of memory for storage and processing of system security assets. Access to these isolated regions is controlled and granted solely through the hypervisor, which is a highly privileged, highly trusted part of the system's Trusted Compute Base (TCB).: Microsoft, Hyper-V Top-Level Functional Specification, chapter 15 [322]
This is the second insight the chapter is built around: VBS is not a re-architecture. It is a re-purposing. The hypervisor already existed as a mature Windows codebase for unrelated reasons. The 2015 pivot did not require new hardware, new VMs, or new CPUs. It required a new way to organize what was already there (two SLAT mappings instead of one, two register snapshots instead of one, a secure-call ABI on top of the SynIC) and a Windows-side Secure Kernel binary to run inside the new VTL1 view. The patent gave the design its formal expression; the engineering had been waiting since 2008 for the right architectural insight.
Sidebar. David Hepkin spent over a decade on the NT kernel architecture team before the VSM design; Arun Kishan was an NT kernel architect and is now Microsoft's Corporate Vice President for the Operating Systems Platform group. Neither is a virtualization specialist by background. Their patent is, in retrospect, a kernel-team idea about how to put a piece of the kernel itself behind a hardware boundary the kernel cannot cross: exactly the kind of design that an architect who had lived inside ntoskrnl.exe for years would invent.
Alex Ionescu's Black Hat USA 2015 deck "Battle of SKM and IUM: How Windows 10 Rewrites OS Architecture" reverse-engineered the entire VSM stack within four weeks of Windows 10 RTM [277]. The vocabulary Ionescu introduced has become the canonical research language for talking about VBS: VTL as "synthetic ring level managed by the hypervisor"; trustlets for the user-mode processes that run inside VTL1's Isolated User Mode; Signature Level 12 plus the IUM EKU 1.3.6.1.4.1.311.10.3.37 as the loader's signing requirement. Microsoft's own developer documentation now uses the same terms [310].
The pivot, then, was not a sudden re-architecture. It was the cash-out of a deliberate multi-year engineering plan that began at least twenty-two months before Windows 10 RTM. To see what VBS actually enforces (and which hypervisor primitive backs each piece of that enforcement), we need to walk the hypervisor's public surface. There are five surfaces. They are the architectural body of the chapter.
The five primitives: The hypervisor's public surface
What does the Windows hypervisor actually look like as a piece of software? It is a small kernel, on the order of one to two hundred thousand lines of C and C++ by community estimate; Microsoft has not published a primary line count. It has five externally visible surfaces, all of which are documented in the Hyper-V Top-Level Functional Specification (TLFS) v6.0b [407]. We walk them in turn.
Primitive one: Partitions, VMBus, and the VSP/VSC pair
A partition is the hypervisor's unit of isolation. From the Microsoft architecture page: "The Microsoft hypervisor must have at least one parent, or root, partition, running Windows. The virtualization management stack runs in the parent partition and has direct access to hardware devices. The root partition then creates the child partitions which host the guest operating systems" [406]. The root partition is a full Windows install with privileged hypercalls and direct access to hardware; each child partition is a guest VM with only the hardware the root has chosen to expose.
A guest VM does I/O over the VMBus. A network packet, for example, travels from the guest application down to the guest's Windows NDIS stack; through the synthetic NIC miniport driver (the VSC) in the guest's kernel; over the VMBus message channel; into the network VSP in the root partition; into the root's real NDIS stack; into the physical NIC driver; out the wire. The hypervisor's role in this chain is structural: it owns the VMBus message channel, the SynIC interrupts that notify the VSP and VSC of new traffic, and the per-partition SLAT mappings that decide which bytes either side can read.
The architectural implication is that device emulation lives in the root partition, not in the hypervisor binary. The TCB the hypervisor binary itself has to protect is narrow. The TCB the root partition's drivers have to protect is much wider, but those drivers live in normal Windows kernel mode, where Microsoft has thirty years of tooling. That design explains why so many public Hyper-V boundary bugs are in vmswitch.sys, storage/integration VSPs, or other root-partition components, while true hvix64.exe / hvax64.exe bugs are rarer and more interesting.
Why the hypervisor TCB is small. Putting device emulation in the root partition means the hypervisor binary does not need to parse Ethernet frames, SCSI commands, USB descriptors, or graphics-adapter command rings. The trade-off is that the root partition becomes part of the TCB (a root-partition kernel-mode bug is a hypervisor-equivalent break) but the small hypervisor binary itself can be reviewed, fuzzed, and reasoned about as a single piece of code.
Primitive two: The hypercall ABI
Hypercalls are how partitions request services from the hypervisor. The TLFS documents two flavors. A fast hypercall passes its parameters inline in CPU registers: on x64, rcx carries a 64-bit hypercall input value (the low 16 bits are the call code; the upper 48 bits are a control word with fields for the Fast flag, variable-header size, Rep Count, and Rep Start Index), rdx carries the first input parameter, and r8 carries the second. A slow hypercall instead passes the GPA (guest physical address) of an input-parameter page in rdx, and the GPA of an output-parameter page in r8; the actual parameter content lives in those pages. The instruction that triggers the hypercall is vmcall on Intel and vmmcall on AMD; the hypervisor maps both onto the same internal entry point [407].
Definition: Hypercall. A guest-to-hypervisor call. The guest issues vmcall (Intel) or vmmcall (AMD); the CPU traps via VM-EXIT into the hypervisor in VMX root mode; the hypervisor reads the call code from rcx, reads the inputs from registers (fast) or from a GPA-pointed page (slow), services the request, writes outputs back, and returns via VM-ENTRY. Hypercalls are the only legitimate way for a partition to invoke hypervisor services [407].
The call-code space is small and well-documented: a few hundred codes, each one a structured request with typed inputs and outputs. The hypercall path is also where the most consequential 2024 Hyper-V CVE lived. CVE-2024-21407 was a use-after-free in hvix64.exe's handling of a specific hypercall, the rare case where the bug was in the hypervisor binary itself rather than in a root-partition driver [418].
Primitive three, intercepts
Intercepts are how the hypervisor virtualizes guest behavior. The TLFS distinguishes four categories: instruction intercepts (CPUID, MSR reads/writes, I/O-port instructions), exception intercepts (page faults, general protection faults), memory-access intercepts (a guest tries to read or write a specific guest-physical-address region), and partition-state intercepts (a guest hits a state that the hypervisor wants to be notified about). Each is configured per-partition through the Intel VMCS execution-control bits or the AMD VMCB control fields [407].
Definition: Intercept. A configurable hypervisor notification on a specific guest event. The hypervisor programs the VMCS or VMCB to fire a VM-EXIT when the guest issues a particular instruction, raises a particular exception, accesses a particular memory region, or transitions to a particular state. Intercepts are the policy mechanism that lets the hypervisor implement device emulation, security checks, and VTL transitions [407].
For VBS, the load-bearing intercept is the memory-access intercept. When VTL0 code tries to access a region whose VTL0 SLAT mapping is unreadable or unwritable, the access traps to the hypervisor with the offending GPA; the hypervisor can deliver the intercept to the VTL1 Secure Kernel as a secure call, letting VTL1 see what VTL0 was trying to do and decide whether to allow it. This is how HVCI's W^X enforcement is wired: a VTL0 page that is marked writable in VTL0's SLAT is marked non-executable in the same SLAT; an attempt to switch the same page to executable becomes a memory-access intercept that VTL1 must approve.
Primitive four: The synthetic interrupt controller (SynIC)
The Synthetic Interrupt Controller, SynIC, is the hypervisor's per-virtual-processor event delivery surface. Each VP has 16 Synthetic Interrupt Source (SINT) lines, a message page (where the hypervisor places message-shaped events), an event-flag page (where it places bit-flag events), and a set of synthetic timers. SynIC is the signaling surface VMBus uses to notify endpoints; the VMBus payload itself moves through shared-memory ring buffers. SynIC also delivers VTL transitions between VTL0 and VTL1 inside the root partition [407].
Definition: Synthetic Interrupt Controller (SynIC). A hypervisor-emulated interrupt controller, parallel to the hardware APIC, that delivers hypervisor-originated events to a virtual processor. Each VP has 16 SINT lines, a message page, an event-flag page, and synthetic timers. VMBus signaling rides on SynIC; secure-call delivery between VTL0 and VTL1 rides on SynIC; vTPM, virtual-PCI, and other paravirtualized device events ride on SynIC [407].
For VBS, the secure-call ABI (the way VTL0 code asks VTL1 to do something) is built on SynIC. A VTL0 caller writes a request into a shared message page, signals a SINT, and yields the CPU; the hypervisor switches SLAT context to VTL1, delivers the message, and lets VTL1 read the request. When VTL1 finishes, it signals a SINT back to VTL0 and the hypervisor switches contexts again. Credential Guard's whole communication path between VTL0 LSASS and VTL1 LSAISO is one of these secure-call channels.
Primitive five: Memory and per-VTL SLAT
The last surface is also the most important: memory. Guest physical addresses (GPAs) are translated to system physical addresses (SPAs) by per-partition SLAT page tables. The hypervisor has exclusive control of these tables; no partition, including the root, can read or modify them directly. For VBS specifically, the hypervisor maintains two SLAT mappings per partition (one for VTL0 and one for VTL1) and switches between them on VTL transitions.
Walkthrough: one byte at a VTL boundary. Suppose a VTL1 trustlet stores a secret at guest-physical page G. VTL1's ordinary page tables can translate a virtual address to G, and the VTL1 SLAT maps G to a system-physical page with read permission. VTL0 may be able to guess G; it may even manufacture a VTL0 PTE that points at that guest-physical frame. The first page walk, controlled by the NT kernel, can therefore succeed. The second page walk is the one that matters. While VTL0 is active, the hypervisor selects the VTL0 SLAT tree, and that tree either omits G or marks it inaccessible. The CPU raises an EPT/NPT violation before retiring the load. When VTL1 is active, the hypervisor selects the VTL1 SLAT tree, where G is present. Same guest-physical address, different second translation, different authority.
This is the architectural reason VTL0 kernel mode, even with full Ring-0 code execution, cannot read or execute VTL1 memory. The VTL0 page-table walker on a load from a VTL1-only page does not see the page at all; the SLAT walker on the host returns no mapping; the hardware MMU raises an EPT/NPT violation; the hypervisor handles the violation according to the VTL0 partition's intercept policy. In the security-relevant case, the hypervisor delivers an access-denied result to VTL0 and continues. There is no kernel-mode mov instruction sequence that can defeat this, because the gating happens in hardware page-table walks that VTL0 kernel mode cannot influence.
Five surfaces. In the public record reviewed for this chapter, the exploitable Hyper-V boundary breaks since 2018 concentrate on two input-heavy surfaces: the hypercall ABI and device-emulation paths exposed through VMBus/root-partition services. The other three primitives (intercepts, SynIC, and per-VTL SLAT) remain the substrate on which VBS, HVCI, Credential Guard, and System Guard Secure Launch are built. That is a narrower and better-supported claim than "the primitives cannot fail": the primitives are code too, but the published failures cluster where untrusted structured input is parsed. We turn to those compositions next.
How Windows composes the five primitives
The hypervisor itself does not know anything about credentials, code signing, application allowlisting, or DMA protection. It knows about partitions, VTLs, intercepts, SLAT entries, and hypercalls. Each Windows security feature is built by composing those primitives in a specific way. The mapping is precise and worth walking, because it is what makes the substrate a security primitive rather than just a virtualization product [188].
HVCI / Memory Integrity. Hypervisor-Enforced Code Integrity, the subject of the Code Integrity chapter (Chapter 8), is the most consequential VBS feature on a per-byte basis: it changes Windows from a system that lets the kernel execute any signed driver to one where the kernel cannot execute any page until VTL1 has approved it. VTL1's code-integrity service inspects every kernel-mode page mapping change request before the SLAT entry that would make the page executable in VTL0 is granted. The W^X invariant (a single page can be writable or executable, but never both) is enforced not by NT kernel cooperation but by the per-VTL SLAT, exactly as the Memory and per-VTL SLAT primitive set out earlier. An NT-kernel attempt to mark a writable page executable becomes a memory-access intercept that VTL1's CI service evaluates [279]. The hypervisor primitives composed: per-VTL SLAT + memory-access intercepts + secure-call ABI.
Definition: Trustlet. A Microsoft-signed user-mode process that runs inside VTL1's Isolated User Mode (IUM). The VBS Trustlets chapter (Chapter 7) owns the trustlet model: the dual-EKU loader gate and the inbox roster (LSAISO.EXE, VMSP.EXE, the vTPM provisioning trustlet). What matters here is narrower: the hypervisor's per-VTL SLAT is what hides a trustlet's pages from VTL0 [310,277].
Credential Guard. LSAISO.EXE (the LSA-Isolated trustlet) runs in VTL1 Isolated User Mode. Selected long-term secrets and derivation operations that LSASS used to expose in normal VTL0 memory are moved behind LSAISO in VTL1 memory that VTL0 cannot read. VTL0 LSASS still brokers authentication and can hold non-protected runtime material depending on protocol and configuration; it performs protected credential operations by sending a request to LSAISO over a secure-call channel mediated by the hypervisor's SynIC. LSAISO does the protected work and returns a result without mapping its private secret state into VTL0. This is why a Ring-0 attacker on a properly configured Credential Guard-enabled Windows install cannot simply dump the protected LSASS secrets from lsass.exe: the long-term material is not there in VTL0 [310,87]. The hypervisor primitives composed: per-VTL SLAT (to hide LSAISO's memory) + SynIC (to deliver secure calls) + intercepts (to catch VTL0 attempts to access LSAISO memory). See the Credential Guard chapter (Chapter 15) for the VTL1 internals.
Definition. Secure Call. The VTL0-to-VTL1 calling convention. A VTL0 caller fills in a shared parameter page, signals a SynIC interrupt configured for VTL transition, and yields. The hypervisor switches SLAT context to VTL1, delivers the message, and lets the Secure Kernel dispatch it via IumInvokeSecureService to a registered VTL1 service. On return, the hypervisor switches contexts back. The whole round-trip is mediated by hypervisor primitives the calling VTL cannot bypass [277].
Application Control (App Control for Business / WDAC). WDAC, the subject of the App Control chapter (Chapter 13), is a code-integrity policy system, not a magic VTL1 database. Policy files are deployed through documented Windows management channels and, depending on configuration, can be signed, locked, or enforced by UEFI/Secure Boot policy. The VBS-relevant part is narrower: when Memory Integrity / HVCI is enabled, kernel-mode code-integrity decisions and executable page transitions are protected by the VTL1 code-integrity path. User-mode WDAC enforcement still involves ordinary Windows loader and Code Integrity components; the hypervisor-backed value is that a compromised VTL0 kernel cannot simply patch the VTL1 CI decision path or mark arbitrary kernel pages executable behind its back [279]. The hypervisor primitives composed: per-VTL SLAT for the CI engine's protected state, memory-access intercepts for executable mappings, and secure calls for policy decisions that must cross into the protected CI service.
VBS Enclaves. VBS enclaves are best understood as a documented application-facing use of the same isolation substrate, exposed through Windows enclave APIs rather than by letting arbitrary applications issue raw hypercalls. The application creates and loads enclave pages through the normal Windows API surface; the kernel and Secure Kernel arrange the protected VTL1 execution context; calls into the enclave cross a controlled transition boundary. The security property is memory isolation from VTL0, not that the application has become a hypervisor peer. The hypervisor primitives composed: per-VTL SLAT to hide enclave pages from VTL0, SynIC/secure-call machinery for transitions, and Secure Kernel policy for creation, measurement, invocation, and teardown.
System Guard Secure Launch (DRTM). Intel TXT's SENTER instruction (and AMD's SKINIT on AMD platforms) executes a hardware-rooted dynamic measurement of the hypervisor and the Secure Kernel into TPM PCRs 17-22 after firmware initialization [104]. This re-establishes the trust root post-firmware: a pre-boot firmware compromise that survived UEFI Secure Boot cannot silently poison the hypervisor's launch state without showing up as an unexpected measurement in a PCR that VTL1 can read. The hypervisor primitives composed: DRTM event registration with the hardware + TPM PCR extension + a VTL1-side attestation API. See the Secure Boot chapter (Chapter 1) for the static-RTM half of the same story.
Kernel DMA Protection. External devices over Thunderbolt, USB4, or hot-plug PCIe can issue DMA to arbitrary physical addresses, bypassing the CPU's MMU entirely. Kernel DMA Protection is a Windows policy and platform-coordination system: firmware must expose DMA-remapping hardware, the Windows kernel and Plug and Play stack classify external hot-plug devices and authorize driver-created DMA domains, and the Hyper-V/VBS platform participates in keeping the IOMMU state aligned with the protected-memory story [45]. The hypervisor-adjacent primitives composed: IOMMU-backed DMA remapping + Windows driver policy + early boot handoff from firmware.
The shape of the table is the point.
| Feature | Composed primitives | Verbatim hypervisor mechanism |
|---|---|---|
| HVCI | per-VTL SLAT + memory-access intercepts + secure-call ABI | VTL1 vets each VTL0 page-mapping change before granting +X |
| Credential Guard | per-VTL SLAT + SynIC + intercepts | LSAISO trustlet memory absent from VTL0 SLAT mapping |
| WDAC (AppControl) | CI policy + VTL1-protected kernel CI path | VTL0 cannot patch the protected CI decision path or grant arbitrary kernel +X |
| VBS Enclaves | per-VTL SLAT + controlled enclave APIs | Enclave pages execute in a VTL1-protected context hidden from VTL0 |
| System Guard Secure Launch | hardware DRTM (TXT/SKINIT) + TPM PCR extension | SENTER / SKINIT measures hypervisor into PCRs 17-22 |
| Kernel DMA Protection | IOMMU-backed DMA remapping + Windows driver policy + firmware handoff | External-device DMA is denied until authorized remapping domains exist |
What the hypervisor does not know. The hypervisor knows nothing about NTLM hashes, Kerberos tickets, code-signing certificates, WDAC policy XML, or DMA-region authorization. Those policies live in Windows components above it: the Secure Kernel and trustlets for VTL1 secrets, Code Integrity and management policy for WDAC, and the kernel/driver stack for DMA authorization. The hypervisor provides the mechanism (isolated address spaces, controlled transitions, and protected mappings) that lets those policy engines make decisions without being patched by the caller they are judging. This separation lets the hypervisor binary stay small while Windows-side security features keep growing.
The pattern: each feature is a different composition of the same five primitives (partitions, hypercalls, intercepts, SynIC, per-VTL SLAT). The hypervisor is genuinely a primitive in the formal sense. A small set of mechanisms that compose into many security policies. If the hypervisor is the mechanism, the boundary the hypervisor enforces is the contract. Microsoft commits to servicing certain attacks against that boundary and explicitly excludes others. To know what we are getting, we need to read the contract.
The security boundary Microsoft commits to
The Microsoft Security Servicing Criteria for Windows is a public document. It enumerates which classes of attack Microsoft will issue a CVE and service through a security update for, and which it will not. For the hypervisor, the document is unusually specific [301].
The two relevant boundaries:
- Hypervisor / virtualization boundary. An L1-guest-to-host or guest-to-guest break is a serviced boundary. If a guest VM can execute code in the root partition or in another guest's address space, Microsoft will issue a CVE.
- Virtual Secure Mode (VBS) boundary. VTL0 kernel-mode code reading or writing VTL1 memory, or executing VTL1 code, is a serviced break. If a Ring-0 attacker in VTL0 can defeat the per-VTL SLAT, Microsoft will issue a CVE.
What the servicing criteria does not commit to is also worth naming. A same-VTL elevation of privilege inside a guest (a guest user becoming guest SYSTEM) is not a hypervisor break. It is a Windows EoP, serviced under the Windows kernel boundary, not the hypervisor boundary. A denial-of-service of the host from a guest is generally not a serviced hypervisor break unless it produces a memory corruption that an attacker can ride to RCE. An administrator in the root partition reading guest memory is not a break at all: the root partition is part of the hypervisor's TCB by definition, and root-partition admin is hypervisor-admin in the threat model.
The dollar figures for these boundaries are documented in the Microsoft Hyper-V Bounty Program [419]. The program ranges from $5,000 for the lowest-impact qualifying submission up to $250,000 for the highest. The eligibility language is verbatim:
An eligible submission includes a Remote Code Execution (RCE) vulnerability in Microsoft Hyper-V that enables a L1 guest virtual machine to compromise the hypervisor, escape from the guest virtual machine to the host, or escape to another L1 guest virtual machine.: Microsoft Hyper-V Bounty Program [419]
$250,000 is the highest standing Hyper-V bounty figure this chapter found in a vendor-published hypervisor program. That is a deliberately narrow claim: it compares public standing program ceilings, not private bug-market prices, government purchases, or one-off contest prizes. KVM is a community project with no single vendor-paid standing pool of equivalent published size. Xen runs a public HackerOne program but does not advertise a $250,000 guest-to-host ceiling. Broadcom/VMware does not publish a standing ESXi bounty ceiling in the same form; public ESXi payouts often appear through Pwn2Own and similar contests, where ZDI sets the prize for that event.
Sidebar. Treat bounty calibration as weak evidence, not proof. A high ceiling says Microsoft believes guest-to-host RCE is worth buying and patching; it does not prove the boundary is secure. The stronger evidence is the combination of a published servicing criterion, a standing bounty, and a public CVE record that lets outside readers see which classes of bugs actually produce fixes [419,301,420].
The table is a calibration sidebar, not a like-for-like proof: the programs below differ in disclosure rules, funding model, contest-vs-standing payout, and whether their strongest claim is operational servicing or formal proof.
| Vendor | Hypervisor | Published bounty | Ceiling | Servicing-criteria boundary published |
|---|---|---|---|---|
| Microsoft | Hyper-V / hvix64.exe | Yes | $250,000 | Yes, verbatim language |
| Xen Project | Xen | Yes (HackerOne) | Lower, varies | Yes, security policy |
| KVM | KVM (community) | No standing program | : | No vendor-published criteria |
| Broadcom/VMware | ESXi | No standing public bounty | : | Vendor advisories per CVE |
| seL4 Project | seL4 | No (proof-rooted argument) | : | Functional-correctness proof [421] |
The seL4 row is included because seL4 is the only hypervisor in the table whose claim to a security boundary is mathematical rather than operational. seL4 ships approximately ten thousand lines of C and assembly with a machine-checked proof of functional correctness against a higher-level specification. The proof took roughly twenty-five person-years and covers a microkernel that does not by itself ship the full surface area of Hyper-V. The Microsoft hypervisor is unverified at the previously noted 100,000-200,000-line estimate, an order of magnitude larger; its security argument is operational (a small TCB, heavy fuzzing, a standing bounty, public servicing) rather than mathematical.
A serviced boundary is a contract. Contracts are not promises; they are obligations that come due when an attacker finds a way around them. To see what the contract has actually had to pay out, we read the public CVE record.
Verify it yourself (documented)
This chapter has no captured lab evidence. The following blocks are deliberately 🔵 DOCUMENTED: real commands a reader can run, with expected shapes and value meanings taken from Microsoft documentation and from the source material, not captured on our lab VM. That is the honest evidence level for this chapter.
🔵 DOCUMENTED: Microsoft Learn, BCDEdit /set hypervisor settings; not captured on our lab VM
reproduce: bcdedit /enum {current}
Windows Boot Loader
-------------------
identifier {current}
...
hypervisorlaunchtype Auto
hypervisorlaunchtype Auto is the boot-entry setting that permits the Windows hypervisor to launch. Off is the opt-out state. The important audit detail is not merely that the line exists; it is that no VBS-disabling load options accompany it.
🔵 DOCUMENTED: Microsoft Learn, Win32_DeviceGuard; not captured on our lab VM
reproduce: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object AvailableSecurityProperties,RequiredSecurityProperties,SecurityServicesConfigured,SecurityServicesRunning,VirtualizationBasedSecurityStatus
AvailableSecurityProperties : {1, 2, 3, 5, 6, 7}
RequiredSecurityProperties : {1, 2}
SecurityServicesConfigured : {1, 2}
SecurityServicesRunning : {1, 2}
VirtualizationBasedSecurityStatus : 2
Documented meanings:
1 = hypervisor support; 2 = Secure Boot; 3 = DMA protection;
5 = NX protections; 6 = SMM mitigations; 7 = MBEC/GMET.
SecurityServicesRunning: 1 = Credential Guard; 2 = memory integrity.
VirtualizationBasedSecurityStatus: 2 = VBS enabled and running.
The exact array varies by hardware and policy. The point of the surface is that it separates hardware eligibility (AvailableSecurityProperties) from policy requirement (RequiredSecurityProperties) and from runtime state (SecurityServicesRunning, VirtualizationBasedSecurityStatus).
🔵 DOCUMENTED: Microsoft Learn, Hyper-V installation requirements and systeminfo; not captured on our lab VM
reproduce: systeminfo
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
When a hypervisor is already running, Windows may instead report:
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
This is the coarse hardware gate: VM monitor extensions, firmware virtualization, SLAT, and DEP. It tells you whether the machine can host the boundary. It does not, by itself, prove that VBS services are running.
🔵 DOCUMENTED: Microsoft Learn, Get-ComputerInfo Windows-only cmdlet plus Hyper-V requirement surface; not captured on our lab VM
reproduce: Get-ComputerInfo -Property HyperV*
HyperVisorPresent : True
HyperVRequirementDataExecutionPreventionAvailable : True
HyperVRequirementSecondLevelAddressTranslation : True
HyperVRequirementVirtualizationFirmwareEnabled : True
HyperVRequirementVMMonitorModeExtensions : True
HyperVisorPresent is the useful quick check: the hypervisor is actually present. The HyperVRequirement* fields are eligibility checks. In adversarial conditions, corroborate this with Win32_DeviceGuard and boot-time events; any VTL0-reported surface can be lied about by a VTL0 kernel attacker.
Where this link breaks. six worked CVEs across three classes
We do not need an exhaustive Hyper-V CVE catalog to understand the boundary's real shape. Six worked examples, drawn from three distinct attack classes, cover the public failure modes that matter for this chapter: root-partition device emulation, hypercall input validation, and VTL0-to-VTL1 secure-call dispatch. We walk them in order.
Class A: Device emulation in the root partition
CVE-2021-28476 (vmswitch.sys, May 2021, CVSS 9.9). Discovered by Ophir Harpaz at Guardicore Labs and Peleg Hadar at SafeBreach Labs using Guardicore's hAFL1 hypervisor fuzzer, this was a guest-controlled OID_SWITCH_NIC_REQUEST OID parameter passed to the host-side vmswitch.sys driver. The driver dereferenced an attacker-influenced object pointer; the host kernel performed an arbitrary pointer dereference, which MSRC rated as guest-to-host RCE in the root partition's kernel mode (the demonstrated primitive was an arbitrary host-kernel read/dereference). The CVSS 9.9 score (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects guest-to-host RCE with Azure-scale blast radius: the bug was reachable from the vmswitch driver shipped in Windows builds well before the May 2021 patch, per the Guardicore Labs technical analysis [422]. The bug is the canonical anchor for "device emulation in the root partition is the largest Hyper-V attack surface."
CVE-2025-21333 (NT Kernel Integration VSP, January 2025, CWE-122). The first publicly-acknowledged in-the-wild exploited Hyper-V CVE, and a useful boundary lesson precisely because it is not a guest-to-host escape. It is a local elevation of privilege (CVSS 7.8, AV:L) in vkrnlintvsp.sys, the Hyper-V NT Kernel Integration VSP that ties the Windows kernel-mode container architecture to Hyper-V's VSP/VSC pattern. A low-privilege caller in a confined context (for example a Windows Sandbox / AppContainer silo) triggers a heap-based buffer overflow in the host-side VSP and, through an I/O-ring primitive, escalates to SYSTEM on the host [423]. By the chapter's own taxonomy this is a Windows kernel elevation serviced under the Windows boundary, not a hypervisor break; it earns its place here as the first such bug found exploited in the wild (CISA KEV), not as a guest escape.
Class B: The hypercall input-validation path
Class B is the one a reader should slow down for, because it is the class where the guest is no longer merely feeding packets to a root-partition driver. It is invoking the hypervisor's own ABI. Public advisories for the 2024 Class-B bugs do not publish Microsoft source, vulnerable function names, or exploit traces. The worked examples below therefore use only three kinds of evidence: the TLFS hypercall contract, the NVD/MSRC metadata and CWE labels, and the invariant every hypercall handler must satisfy. Where a mechanism is reconstructed from those public facts rather than named by Microsoft, the text says so.
The call path is fixed. A guest writes the hypercall input value in rcx, places either inline parameters or GPA pointers in rdx/r8, executes vmcall or vmmcall, and enters the common hypervisor dispatch path. The dispatcher decodes the low 16-bit call code, validates the control word (Fast, variable-header size, rep count, rep start), maps any guest-physical input page into a hypervisor-readable window, copies or pins the relevant bytes, calls the per-code handler, writes output, unmaps/unpins transient mappings, and resumes the guest. The object-lifetime rule is equally fixed: any object derived from guest state (a mapped parameter page, a partition object, a VP object, a message port, a file-operation context, a continuation for a repeated hypercall) must remain valid for exactly the interval in which the handler can dereference it, and it must not trust guest memory after validation unless that memory is copied or pinned.
CVE-2024-21407 (Hyper-V hypercall UAF, March 2024, CVSS 8.1, CWE-416). This is the clean lifetime example. The publicly documented part identifies a use-after-free in the hypervisor binary (hvix64.exe / hvax64.exe) and describes specially crafted hypercalls [418]. The inferred exploit shape to reason about is a two-phase object: a hypercall creates or looks up an operation context, associates guest-supplied state with it, and later completes, cancels, or retries that operation. A safe handler has to maintain a reference while any completion path, retry path, or output-copy path can still touch the context. A UAF means one of those paths dropped the last reference too early, then continued to dereference a stale pointer. The inferred attacker shape is not mystical: issue hypercalls that force the context through an unusual error/cancel/rep-start sequence; reclaim or influence the freed allocation with another hypervisor allocation of compatible size; then cause the stale path to read a field, write through a pointer, or call through a vtable-like dispatch slot. In that inferred shape, the exploitability hinge is object reuse. If the freed bytes are still allocator poison, the host crashes. If the attacker can groom the hypervisor heap so the same address now contains attacker-shaped data, the stale dereference becomes host-code execution. That is why CWE-416 is more informative here than the phrase "RCE": the boundary failed because a hypervisor-owned object's lifetime no longer dominated every call path that could use it.
CVE-2024-30092 (Hyper-V RCE, October 2024, CWE-20 + CWE-829). This advisory is less generous with mechanism, so the honest worked example is a validation-boundary reconstruction, not a claim about a named private function. The publicly documented labels are CWE-20 and CWE-829: an input accepted from the guest was not sufficiently validated, and trusted code incorporated functionality or behavior from an untrusted control sphere [424]. As an inferred exploit shape in a hypercall handler, that combination usually means the guest supplied not merely data but a selector, descriptor, GPA, length, feature bit, or continuation state that changed which trusted code path ran. The safe pattern is: decode the call code; reject reserved bits; bound Rep Count; verify variable-header length; translate guest physical addresses only through the caller's partition; copy the descriptor to hypervisor-owned memory; validate every embedded length and offset against that copied descriptor; then dispatch only to operations the caller's partition is allowed to request. The failure pattern is: validate the outer header, then let an inner guest-controlled field select an implementation path, an imported helper, or a nested object type before proving that field belongs to the trusted grammar. The object-lifetime version is a descriptor-lifetime bug: the "object" is not necessarily heap memory; it can be a validated interpretation of guest bytes. If the handler validates bytes under interpretation A, then later reuses the same bytes under interpretation B, the validation object has expired even though no allocation was freed. CVE-2024-30092 belongs in Class B because the attacker crosses the boundary at the hypercall ABI, and the bug class says the ABI parser let guest-controlled meaning survive too far into trusted execution.
CVE-2024-49117 (Hyper-V RCE, December 2024, CVSS 8.8, CWE-393 in public vulnerability databases). This one is best read as a status-lifetime example, explicitly inferred from the public CWE rather than from a Microsoft-published root-cause trace. CWE-393, "Return of Wrong Status Code," is easy to underrate because it sounds like a bookkeeping mistake. In a hypervisor, status is authority. A handler commonly performs a sequence like: map input page; validate header; acquire partition/VP object; perform operation; copy output; release objects; return a hypercall status. Downstream cleanup and the guest-visible continuation path both branch on that status. If a failure path returns success, later code can consume uninitialized output, commit a partially initialized object, or skip cleanup because it believes ownership transferred. If a success path returns a retry/failure status, the dispatcher may free or roll back an object that another path will still use. The object lifetime is therefore encoded in the status code. A wrong status can turn a valid reference into a dangling one, or keep an invalid object reachable across the next repeated hypercall. The inferred worked exploit shape is: craft a request that reaches a rare validation or resource-exhaustion branch; force the handler to return the status for the wrong ownership state; then make a follow-up hypercall that exercises the mismatched state machine. The public advisory does not tell us which object was mismatched. It tells us enough to identify the systems lesson: in the hypercall ABI, status values are not cosmetics; they are the state machine that decides who owns each object after the call returns [425].
The three Class-B bugs are different on the surface (freed memory, improper validation plus untrusted control, wrong status) but the invariant they violate is the same. A hypercall handler must convert untrusted guest state into hypervisor-owned state exactly once, attach a lifetime to that state, and make every later branch prove it is still operating inside that lifetime. The moment guest bytes can be reinterpreted, an object can outlive its reference, or a status code can lie about ownership, the "small" hypervisor TCB has the same bug class as any other parser.
Class C: VTL0-to-VTL1 (the VBS break, not the hypervisor break)
CVE-2020-0917 and CVE-2020-0918: Amar and King, Black Hat USA 2020. Saar Amar and Daniel King's "Breaking VSM by Attacking SecureKernel" disclosed two paired vulnerabilities discovered with their Hyperseed hypercall fuzzer retargeted at securekernel!IumInvokeSecureService, the secure-call entry point. Vulnerability #1 (which maps to CVE-2020-0917) is an out-of-bounds write in securekernel!SkmmObtainHotPatchUndoTable, the function that parses the hot-patch undo table at secure-call invocation time.
Sidebar. The Black Hat USA 2020 deck (verified via pdftotext at the canonical MSRC-Security-Research GitHub URL) explicitly labels Vulnerability #1 as OOB Write, in slides titled "The Vulnerable Function" and "The OOB" in the "Hardening SK" section [295]. Several secondary writeups across the web have transcribed the bug class as "OOB read," which is incorrect; the deck itself is the primary source and says write. The functions involved are also commonly conflated: IumInvokeSecureService is the secure-call dispatcher Hyperseed retargets to reach the buggy code; the actual bug is in SkmmObtainHotPatchUndoTable. The NVD entries for both CVEs are tracked as CWE-269 (Improper Privilege Management).
Vulnerability #2 (CVE-2020-0918) is a design flaw in SkmmUnmapMdl that lets VTL0 pass a fully attacker-controlled Memory Descriptor List to SkmiReleaseUnknownPTEs.
The Microsoft response is documented end-to-end in the same deck: the Secure Kernel pool was migrated to segment heap in mid-2019, four W+X regions were reduced to +X only, and SkpgContext (a HyperGuard equivalent for Secure Kernel) was introduced.
This is a different failure class than vmswitch RCE: not guest-to-host, but VTL0-to-VTL1. A Secure Kernel break reached through the hypervisor's secure-call dispatch from a privileged VTL0 attacker. Microsoft services it under the VBS / VSM boundary in the servicing criteria document, even though no guest VM is involved.
Key idea. In the public record reviewed here, the meaningful Hyper-V/VBS boundary breaks since 2018 cluster in three narrow code paths: device emulation, hypercall input validation, or VTL0-to-VTL1 secure-call dispatch. That is an empirical observation, not a proof that intercepts, SynIC, or per-VTL SLAT can never have implementation bugs.
The Pwn2Own dimension
Through Pwn2Own Berlin 2025, no public live Hyper-V guest-to-host escape has been demonstrated at Pwn2Own. The cross-vendor analog (and the industry's best calibration of how hard a hypervisor escape is to find when a researcher has a public dollar incentive and a deadline) is the first-ever ESXi escape in Pwn2Own history, executed by Nguyen Hoang Thach of STAR Labs SG on Day Two (May 16, 2025) using a single integer overflow vulnerability (the affected subsystem and full mechanism were withheld pending the vendor patch). The award was $150,000 plus 15 Master of Pwn points; STAR Labs went on to win overall Master of Pwn for the competition with $320,000 across three days [420].
The full mechanism was not disclosed within the coordinated-disclosure window, but the exploit class is structurally the same as the vmswitch family: structured, attacker-shaped input parsed by a host-side component that then corrupts host memory, just landed in a different vendor's device-emulation path.
| CVE | Class | Year | CVSS | Location | Source |
|---|---|---|---|---|---|
| CVE-2021-28476 | A: device emulation | 2021 | 9.9 | vmswitch.sys (root partition) | [422] |
| CVE-2025-21333 | A: device emulation | 2025 | 7.8 | NT Kernel Integration VSP (root partition) | [423] |
| CVE-2024-21407 | B: hypercall path | 2024 | 8.1 | hvix64.exe / hvax64.exe (hypervisor binary) | [418] |
| CVE-2024-30092 | B: hypercall path | 2024 | 7.5 | Hyper-V hypercall validation | [424] |
| CVE-2024-49117 | B: hypercall path | 2024 | 8.8 | Hyper-V hypercall validation | [425] |
| CVE-2020-0917/0918 | C: VTL0-to-VTL1 | 2020 | 6.8 (per MSRC) | securekernel.exe (VTL1, reached via secure call) | [295] |
Walkthrough: locating a boundary failure. Given a new Hyper-V CVE, classify it by the first trusted parser that consumes attacker-shaped input. If the input is an Ethernet frame, storage command, integration-service message, or synthetic-device request consumed by a root-partition VSP such as vmswitch.sys, the failure is Class A: the guest escaped through device emulation beside the hypervisor. If the first trusted parser is the hypervisor dispatcher itself (rcx call code, rdx/r8 GPA pages, repeated-call state, partition/VP handles), the failure is Class B: the guest reached hvix64.exe / hvax64.exe through the hypercall ABI. If the attacker already controls VTL0 kernel mode and the first trusted parser is securekernel.exe receiving a secure call through IumInvokeSecureService, the failure is Class C: a VBS boundary break, not an L1-guest-to-host escape. This classification keeps the lesson precise. The failures cluster on input parsers and state machines, not on the abstract idea of SLAT or SynIC.
This is the third insight the chapter is built around. The reader's prior model may have been "hypervisors fail in mysterious, deep ways; the boundary is fragile in unknown places." The better model is narrower: the public, documented examples reviewed here live in three code paths: root-partition device emulation, hypercall input validation, and VTL0-to-VTL1 secure-call dispatch. The narrowness of the failure space is evidence for the micro-kernelized design, but it is not a theorem. A future SynIC or SLAT-management bug would still be a hypervisor bug. The claim is empirical and dated: in the public record this chapter cites, attacker-shaped structured input is where the boundary has paid out.
Six worked examples; three classes; one boundary; an unflinching public record. The boundary is alive: Microsoft publishes and services real Hyper-V/VBS boundary CVEs rather than pretending the layer is perfect. The examples above live on inputs the hypervisor or its trusted Windows-side components are supposed to control. The interesting question is what lives in places they do not control.
Where this link breaks: Beneath, beside, and around
The hypervisor enforces two clean, serviced boundaries against code above it: VTL0 cannot read VTL1 inside the root partition, and an L1 child guest cannot cross into the root partition or another guest. It cannot, by construction, enforce anything against what lives below or beside it. Three structural classes of residual attack matter. We walk each.
Firmware below the hypervisor
System Management Mode (SMM), the UEFI runtime, the platform Manageability Engine (Intel ME), and the AMD Platform Security Processor (PSP) all sit outside the hypervisor's authority for at least part of the machine's life. SMM is the cleanest example. An SMI interrupts all cores, saves processor state into SMRAM, and runs OEM firmware code in a mode whose memory access is not mediated by the guest's page tables or by VTL policy. If SMRAM protections are wrong, or if an SMI handler copies attacker-controlled buffers without correct bounds checks, SMM code can read or write the same DRAM that contains the hypervisor. From the hypervisor's point of view, SMM is not a lower-privileged caller. It is platform firmware arriving from underneath.
System Guard Secure Launch is Microsoft's answer to one half of that problem: launch integrity. Static Secure Boot measures and verifies a boot chain that firmware helped start. DRTM deliberately starts later. Intel TXT SENTER or AMD SKINIT invokes a CPU-vendor authenticated code module, quiesces the machine into a measured launch environment, establishes protected launch state, and extends TPM PCRs 17-22 with measurements of the late-launch components before handing control to the hypervisor and Secure Kernel [104,188]. The PCR detail matters. PCR extension is append-only: PCRnew = Hash(PCRold || measurement). A compromised pre-boot component cannot simply write a preferred value into PCR 17 after the fact. Remote attestation can therefore distinguish "this measured hypervisor launched through the DRTM path" from "some earlier firmware path claimed it did."
DRTM does not make firmware disappear. It narrows what a pre-launch compromise can hide. Post-launch SMM remains residual because SMIs can arrive after the hypervisor is running. Microsoft's SMM protection work tries to constrain that residual by requiring compatible hardware, using IOMMU and memory protections around SMM ranges, and reporting SMM mitigation availability through Device Guard / System Information surfaces [104]. The remaining hard cases are platform-specific: an OEM SMI handler that can still be triggered by the OS; a firmware update path that installs vulnerable SMM code; a board that lacks Secure Launch support; or a management engine/PSP issue below the CPU-visible launch chain. None of those is "Hyper-V failed to enforce SLAT." They are cases where the thing attacking Hyper-V was never inside the hierarchy Hyper-V controls.
Hardware side channels
SLAT answers the architectural question: can VTL0 translate this address to that physical page with this permission? Side channels ask a different question: did transient execution, cache fill, predictor training, fill-buffer forwarding, or a stale TLB entry leave a measurable trace of data the architecture says should be inaccessible? Spectre mistrains control flow so transient instructions touch data-dependent cache lines. Meltdown-class bugs let faulting loads transiently forward data before the architectural fault retires. L1TF abused terminal-fault behavior to infer data from L1D. MDS sampled internal buffers. Retbleed revived branch-target mistraining across return paths. These attacks do not require the hypervisor to map VTL1 memory into VTL0. They exploit CPU implementation state that sits below the permission check's architectural contract.
For Hyper-V and VBS, the important detail is scheduling and sharing. Two VTLs or two partitions may share a physical core over time, share branch predictors, share caches, or share simultaneous-multithreading sibling resources. A perfect SLAT policy can still leave a pattern: "after VTL1 ran, this cache set is hot" or "after the host handled this hypercall, this predictor entry changed." The mitigation playbook therefore lives partly in the hypervisor scheduler and partly in CPU microcode: flush or partition predictor state on sensitive transitions, use IBRS/STIBP/retpolines where appropriate, avoid scheduling hostile SMT siblings for high-risk workloads, clear L1D on VM entry/exit for L1TF-class issues, and use Kernel Virtual Address Shadow for Meltdown-class kernel/user separation. HyperClear was Microsoft's Hyper-V-specific L1TF mitigation family: on affected Intel processors, it combined core scheduling and cache-clearing so a guest could not sample stale L1D data from another security domain.
The residual is not "Microsoft forgot a mitigation." It is that software mitigations are fences around implementation behavior, not proofs about it. Each new CPU family changes predictor structures, buffer forwarding, SMT behavior, and microcode semantics. Confidential-computing systems such as Intel TDX and AMD SEV-SNP improve the trust model by encrypting guest memory and reducing hypervisor visibility, but they do not claim universal resistance to Spectre-class leakage. VBS is in the same position. It can ensure VTL0 lacks an architectural mapping to VTL1 secrets; it cannot, by software alone, prove the processor never encodes a bit of those secrets into timing.
IOMMU and DMA bypass
The CPU MMU mediates loads and stores issued by cores. DMA is different: a PCIe device can bus-master reads and writes without executing CPU instructions at all. The IOMMU (Intel VT-d or AMD-Vi) adds a second translation path for devices. A device is identified by requester ID; the IOMMU indexes a root/context table for that device or PCIe function; DMA addresses are translated through I/O page tables into system physical addresses; permissions decide whether the transaction completes. If a Thunderbolt controller, USB4 dock, NVMe device, or malicious FPGA is allowed to DMA with a broad identity mapping, it can write the hypervisor's memory without ever asking the CPU page-table walker for permission. SLAT never fires because no CPU load occurred.
Kernel DMA Protection is Windows' attempt to make the IOMMU policy match the VBS story. On supported systems, external hot-plug PCIe-class devices are blocked from DMA until the user signs in and an approved driver stack has created explicit DMA remapping domains. The device gets mappings only for buffers the OS intentionally exposes. In practical terms, the safe path is: firmware leaves DMA remapping enabled or at least not hostile; the Windows boot path and hypervisor take ownership early; the Plug and Play / driver stack identifies whether the device is external and remappable; the IOMMU context for that requester ID starts denied; the driver asks for DMA buffers; Windows maps only those pages; and unplug/logoff transitions tear the mappings back down [45].
The deep residuals are all in the seams. Pre-boot DMA: before Windows owns the IOMMU, firmware or option ROMs may leave devices able to DMA. Identity and aliasing: PCIe features such as requester-ID aliasing, Access Control Services, Address Translation Services (ATS), and Page Request Interface (PRI) complicate the assumption that the IOMMU sees exactly the requester the OS thinks it authorized. ATS lets a device cache translations; PRI lets a device request page mappings; both are legitimate performance features, but they enlarge the state that must be invalidated on policy changes. Firmware handoff: if the BIOS disables VT-d/AMD-Vi, hides remapping units, or misdescribes them in ACPI tables, Windows cannot build the intended protection. Physical attacks: Thunderspy showed why "external PCIe behind a nice connector" is still PCIe: with physical access and vulnerable controller firmware, a malicious peripheral can target memory unless remapping is active and correctly scoped [426]. The hypervisor can own the IOMMU only after the platform exposes a correct IOMMU to own.
Hypervisor downgrade and rollback
Alon Leviev's "Windows Downdate" at Black Hat USA 2024 disclosed a class of attack that the prior three sections do not cover: rollback of the hypervisor binary itself to a previously-vulnerable, but still validly-signed, build [304].
The structural argument: UEFI Secure Boot prevents loading an unsigned hvix64.exe. It does not prevent loading an older hvix64.exe that remains validly signed and merely unrevoked. If Microsoft fixes a Secure Kernel bug in build N+1 and a VTL0 attacker can convince the system to load build N at the next reboot, the patched bug is alive again. CVE-2024-21302 demonstrated exactly this rollback against both the hypervisor and the Secure Kernel through manipulation of the Windows Update servicing pipeline. The mitigation is mandatory-update servicing combined with proactive revocation list (dbx) hygiene (once an older binary's hash is in the UEFI revocation list, Secure Boot will refuse to load it) and Microsoft completed mitigations across Windows 10 1507 through Windows Server 2019 in the July 8, 2025 update wave [304].
Walkthrough. What remains outside the hypervisor's jurisdiction. Trace a boot. Firmware initializes the board and may run SMM code before Windows exists. Secure Boot verifies signed boot components. Secure Launch, when supported and enabled, performs a late DRTM measurement and extends PCRs 17-22 before the hypervisor takes over. The hypervisor then enforces partition and VTL isolation with SLAT, intercepts, SynIC, hypercalls, and IOMMU programming. Now place four residual arrows around that stack. From below: SMM or management firmware can still attack memory if platform protections fail. From above-but-below-the-ISA: side channels can leak through predictor/cache/buffer state even when mappings are correct. From beside: DMA can bypass CPU page-table checks unless the IOMMU policy is correct from boot through hot-plug. From the future boot: the servicing pipeline can select an older still-signed hypervisor unless revocation and rollback protection are current. The hypervisor is the center of the boundary, not the whole boundary.
Necessary, not sufficient. The firmware-Secure-Boot-DRTM substrate beneath the hypervisor, the microarchitectural ceiling above it, the IOMMU configuration beside it, and the Windows Update pipeline that decides which hypervisor build runs next are co-equal members of the same boundary. None of them is the hypervisor; all of them have to do their job for the hypervisor's guarantees to hold. The substrate is genuine, the boundary is published, Microsoft assigns a high public bounty ceiling to guest-to-host RCE, and the public CVE record is alive and narrow; the residuals are where the hypervisor's jurisdiction ends. The last section turns from theory to practice.
What it means for you: Practical guide and closing
If you have read this far, the natural next question is "is this on, on my machine, and how do I check?" The practical answer is short.
Enabling and verifying VBS
VBS is configurable through several paths: Group Policy (Computer Configuration > Administrative Templates > System > Device Guard), Intune, MDM CSPs (DeviceGuard/EnableVirtualizationBasedSecurity, DeviceGuard/ConfigureSystemGuardLaunch), the Windows Security UI, or directly via bcdedit /set hypervisorlaunchtype Auto. Verification is not a single green check. Treat it as an adversarial state check: boot policy must permit the hypervisor; hardware must expose virtualization, SLAT, Secure Boot, and preferably DMA/SMM protections; Windows policy must request services; runtime state must show those services running; and no boot load option should disable VBS. The following surfaces are 🔵 documented-only examples, but they are the right evidence types to capture in a lab or fleet audit.
msinfo32→ the Device Guard / Virtualization-based Security row. "Services Configured" lists what policy has requested; "Services Running" lists what is actually active. Kernel DMA Protection and Secure Launch each appear as their own row.Get-CimInstance -ClassName Win32_DeviceGuard→VirtualizationBasedSecurityStatus(0 = off, 1 = enabled but not running, 2 = running);SecurityServicesRunningarray (HVCI, Credential Guard, etc.);RequiredSecurityProperties(the policy floor).bcdedit /enum→hypervisorlaunchtype Autois the default;loadoptions DISABLE-VBS(orDISABLE-LSA-ISO) is how an administrator can opt out (you should not see these flags on a properly-configured machine).
A health check over those fields should be deliberately conservative about what it requires. A developer workstation may choose not to require Credential Guard; a kiosk may require HVCI but not Secure Launch; a high-assurance fleet may require DMA protection and SMM mitigations. The required floor is a local fleet policy over available capabilities, not Microsoft's RequiredSecurityProperties field; a production checker should record both. Change the policy floor, not the meaning of the fields.
Operational one-liners. Three commands, in order: msinfo32 for the human-readable summary; Get-CimInstance -ClassName Win32_DeviceGuard | Format-List * for the structured detail; bcdedit /enum {current} to confirm hypervisorlaunchtype Auto and the absence of DISABLE-VBS / DISABLE-LSA-ISO load options. If all three agree that VBS, HVCI, and Credential Guard are running, you are in the configuration this chapter describes.
Operational Pitfalls
Three operational realities matter. First, HVCI has a driver-compatibility gate and will refuse Memory Integrity if an incompatible kernel driver is installed. The usual offenders are older anti-cheat drivers, legacy storage filters, disk-encryption filters, and pre-Hyper-V-aware virtualization products. The failure mode is not "VBS is broken"; it is "Windows declined to create an executable mapping regime that an existing driver cannot survive." Remove or update the driver, reboot, and re-check both policy and runtime state.
Second, nested virtualization changes the diagram but not the owner. In an L0/L1/L2 stack, the physical L0 hypervisor still owns the machine. The L1 guest may expose a virtual hypervisor to L2 and may even run its own VTL split, but L1's VBS protects L1 secrets from L1 VTL0; it does not give L1 authority over L0. Performance counters, side-channel mitigations, and device assignment become harder to reason about, so nested VBS should be treated as a separate deployment profile, not as proof that the host boundary weakened.
Third, verification has policy caveats. hypervisorlaunchtype Auto only says the boot entry permits a hypervisor. VirtualizationBasedSecurityStatus = 2 says VBS is running, not that every desired service is running. SecurityServicesConfigured can be ahead of SecurityServicesRunning when hardware support, firmware settings, incompatible drivers, or policy conflicts block a service. A fleet check should record all three: configured, required, and running. That is the difference between "the switch is on" and "the boundary this chapter describes is actually in force."
Further Reading
Administrator Protection (the user-mode admin trust model that the kernel-mode VBS boundary makes possible) did not become a chapter of this book; for that thread, see the external write-up Adminless.
Closing
The reason SYSTEM on a properly configured Windows 11 box cannot read Credential Guard-protected LSASS secrets, execute policy-denied kernel code, or patch HVCI-protected ntoskrnl.exe pages is now fully accounted for. An hvix64.exe or hvax64.exe launched by hvloader.efi before the NT kernel ran. A VTL split inside the root partition, made possible by Hepkin and Kishan's 2013 patent and shipped with Windows 10 RTM in 2015. Per-VTL SLAT enforcement that the NT kernel architecturally cannot touch, because the SLAT tables live in pages the hypervisor never maps into a VTL0 view. A Microsoft-published security boundary and a $5,000-$250,000 bounty calibrating the boundary's value, whose $250,000 standing ceiling is, at this writing, the highest among the compared public bounty programs. A public CVE record of six worked examples across three narrow classes that the boundary has had to pay out on since 2018. And a residual attack surface (firmware below, side channels above, IOMMU bypass beside, hypervisor rollback through the update pipeline) that the substrate cannot, by construction, eliminate.
The hypervisor is what every other chapter in Part II sits on. With the substrate in hand, the chapters that spend it read as compositions of one boundary rather than as separate features: the Secure Kernel chapter (Chapter 6) reads differently when you have walked the per-VTL SLAT yourself; the Credential Guard chapter (Chapter 15) reads differently when you know that LSAISO.EXE is invoked through a hypercall-mediated secure call; the Secure Boot chapter (Chapter 1) reads differently when you know that the hypervisor's DRTM measurement re-establishes the trust root after firmware; and the Code Integrity chapter (Chapter 8) reads differently when you know that the privilege ceiling on Windows 11 is not Ring 0 but a hardware boundary above it.
Above Ring Zero is not a metaphor. It is an instruction-set state. The Windows hypervisor lives there, owns the page tables that say what the OS can see, and is the architectural reason "SYSTEM-on-VBS-backed-Windows" cannot do things SYSTEM used to be allowed to do.
Bequeaths. This chapter hands the rest of Part II the enforced boundary every other VBS feature is built on: a VTL0→VTL1 split, and the five primitives (partitions, hypercalls, intercepts, SynIC, and per-VTL SLAT) that compose into security policy. The VBS Trustlets chapter (Chapter 7) fills VTL1 with the signed user-mode processes that hold secrets; the Code Integrity chapter (Chapter 8) spends the per-VTL SLAT to make the kernel's own pages immutable; the Credential Guard chapter (Chapter 15) spends it to move selected long-term credential material behind LSAISO/VTL1. The bequest is deliberately bounded. The hypervisor guarantees architectural mediation of memory and partitions. It does not promise its own hypercall and secure-call parsers are bug-free (six public CVEs say otherwise), that the silicon beneath it leaks nothing through cache and predictor state, that a device cannot DMA around the CPU, or that the current hypervisor build is the one that boots next (Windows Downdate, CVE-2024-21302). It is the necessary center of the boundary, not the whole boundary.