Azure 机群上的虚拟机监控程序安全性Hypervisor security on the Azure fleet

Azure 虚拟机监控程序系统基于 Windows Hyper-V。The Azure hypervisor system is based on Windows Hyper-V. 借助虚拟机监控程序系统,计算机管理员可以指定具有单独地址空间的来宾分区。The hypervisor system enables the computer administrator to specify guest partitions that have separate address spaces. 单独的地址空间使你可以加载与在计算机的根分区中执行的(主机)操作系统并行运行的操作系统和应用程序。The separate address spaces allow you to load an operating system and applications operating in parallel of the (host) operating system that executes in the root partition of the computer. 主机 OS(也称为特权根分区)可以直接访问系统上的所有物理设备和外设(存储控制器、网络适配器)。The host OS (also known as privileged root partition) has direct access to all the physical devices and peripherals on the system (storage controllers, networking adaptions). 通过将“虚拟设备”公开给每个来宾分区,主机 OS 允许来宾分区共用这些物理设备。The host OS allows guest partitions to share the use of these physical devices by exposing “virtual devices” to each guest partition. 因此,在来宾分区中执行的操作系统可以访问由在根分区中执行的虚拟化服务所提供的虚拟化外围设备。Thus, an operating system executing in a guest partition has access to virtualized peripheral devices that are provided by virtualization services executing in the root partition.

构建 Azure 虚拟机监控程序时要牢记以下安全目标:The Azure hypervisor is built keeping the following security objectives in mind:

目标Objective Source
隔离Isolation 安全策略禁止在 VM 之间传输信息。A security policy mandates no information transfer between VMs. 此约束需要 Virtual Machine Manager (VMM) 和硬件的功能来隔离内存、设备、网络和受管理资源(如持久化数据)。This constraint requires capabilities in the Virtual Machine Manager (VMM) and hardware for isolation of memory, devices, the network, and managed resources such as persisted data.
VMM 完整性VMM integrity 若要实现总体系统完整性,需要构建单个虚拟机监控程序组件的完整性并对其进行维护。To achieve overall system integrity, the integrity of individual hypervisor components is established and maintained.
平台完整性Platform integrity 虚拟机监控程序的完整性取决于它所依赖的硬件和软件的完整性。The integrity of the hypervisor depends on the integrity of the hardware and software on which it relies. 虽然虚拟机监控程序无法直接控制平台的完整性,但 Azure 依靠硬件和固件机制(例如 Cerberus 芯片)来保护和检测基础平台的完整性。Although the hypervisor doesn't have direct control over the integrity of the platform, Azure relies on hardware and firmware mechanisms such as the Cerberus chip to protect and detect the underlying platform integrity. 如果平台完整性受到损害,则会阻止 VMM 和来宾运行。The VMM and guests are prevented from running if platform integrity is compromised.
受限访问Restricted access 只有通过安全连接进行连接的授权管理员才能执行管理功能。Management functions are exercised only by authorized administrators connected over secure connections. 最小特权原则由 Azure 基于角色的访问控制 (Azure RBAC) 机制强制实施。A principle of least privilege is enforced by Azure role-based access control (Azure RBAC) mechanisms.
审核Audit 借助 Azure,审核功能可以捕获和保护有关系统上发生的情况的数据,以便以后可以对其进行检查。Azure enables audit capability to capture and protect data about what happens on a system so that it can later be inspected.

Microsoft 强化 Azure 虚拟机监控程序和虚拟化子系统的方法可以分为以下三类。Microsoft’s approach to hardening the Azure hypervisor and the virtualization subsystem can be broken down into the following three categories.

由虚拟机监控程序强制实施的严格定义的安全边界Strongly defined security boundaries enforced by the hypervisor

Azure 虚拟机监控程序在以下各项之间强制实施多个安全边界:The Azure hypervisor enforces multiple security boundaries between:

  • 虚拟化的“来宾”分区和特权分区(“主机”)Virtualized “guest” partitions and privileged partition (“host”)
  • 多个来宾Multiple guests
  • 本身和主机Itself and the host
  • 本身和所有来宾Itself and all guests

为虚拟机监控程序安全边界确保了机密性、完整性和可用性。Confidentiality, integrity, and availability are assured for the hypervisor security boundaries. 边界可以抵御各种攻击,包括旁道信息泄漏、拒绝服务和特权提升。The boundaries defend against a range of attacks including side-channel information leaks, denial-of-service, and elevation of privilege.

虚拟机监控程序安全边界还为网络流量、虚拟设备、存储、计算资源和所有其他 VM 资源提供了租户之间的分段。The hypervisor security boundary also provides segmentation between tenants for network traffic, virtual devices, storage, compute resources, and all other VM resources.

深层防御攻击缓解Defense-in-depth exploit mitigations

如果安全边界存在漏洞,Azure 虚拟机监控程序包括多个缓解层,包括:In the unlikely event a security boundary has a vulnerability, the Azure hypervisor includes multiple layers of mitigations including:

  • 隔离跨 VM 组件托管的基于主机的进程Isolation of host-based process hosting cross-VM components
  • 基于虚拟化的安全性 (VBS),用于确保安全环境中用户和内核模式组件的完整性Virtualization-based security (VBS) for ensuring the integrity of user and kernel mode components from a secure world
  • 多个级别的漏洞缓解。Multiple levels of exploit mitigations. 缓解包括地址空间布局随机化 (ASLR)、数据执行保护 (DEP)、任意代码防护、控制流完整性和数据损坏防护Mitigations include address space layout randomization (ASLR), data execution prevention (DEP), arbitrary code guard, control flow integrity, and data corruption prevention
  • 在编译器级别自动初始化堆栈变量Automatic initialization of stack variables at the compiler level
  • 内核 API 自动对由 Hyper-V 分配的内核堆进行零初始化Kernel APIs that automatically zero-initialize kernel heap allocations made by Hyper-V

这些缓解旨在使利用跨 VM 漏洞的攻击变得不可行。These mitigations are designed to make the development of an exploit for a cross-VM vulnerability infeasible.

强大的安全保障过程Strong security assurance processes

与虚拟机监控程序有关的攻击面包括软件网络、虚拟设备和所有跨 VM 的面。The attack surface related to the hypervisor includes software networking, virtual devices, and all cross-VM surfaces. 通过自动构建集成来跟踪攻击面,这会触发定期的安全检查。The attack surface is tracked through automated build integration, which triggers periodic security reviews.

针对安全边界违规行为,我们的 RED 团队对所有 VM 攻击面进行了威胁建模、代码评审、模糊处理和测试。All VM attack surfaces are threat modeled, code reviewed, fuzzed, and tested by our RED team for security boundary violations. Microsoft 有一个 bug 赏金计划,用于奖励发现 Microsoft Hyper-V 合格产品版本中的相关漏洞的人员。Microsoft has a bug bounty program that pays an award for relevant vulnerabilities in eligible product versions for Microsoft Hyper-V.

后续步骤Next steps

若要详细了解为提高平台完整性和安全性而做的工作,请参阅:To learn more about what we do to drive platform integrity and security, see: