So what is VBS, the option that makes you lose up to 10 % performance at stake?

Since September 2022, new machines (and new Windows installations) have activated an option named by default VBSpour Virtualisation-Based Securityalso present in Windows Defender under the name “Isolation of the nucleus”. For example, An option that had already caused ink to flow at the time. For example, since its activation was not without impact on performance, Tom’s Hardware reporting an average of 5 % of improvement in average performance by deactivating VBS, with points at more than 10 % in the most extreme cases – and more by looking at the first cm. Similarly, On the occasion of the disclosure of flaws concerning. Therefore, precisely, this VBS, Hardware & Co mechanism is based on the functioning of the thing, its effectiveness in terms of protection and its impact on your CPUs. In addition, Let’s go!

First of all, let’s come back to a technology now disappeared from the CPUs for the general public: Intel SGX. Similarly, Behind this term hides a secure processor mode in which the integrity of the code. Nevertheless, data is not provided by the operating system (Windows in our case), but directly by the processor: a kind of last resort if a nasty virus had completely rotten your machine. Consequently, In practice. Moreover, this was used in particular for DRMs, and the legal reading of Blu-ray, so as to prevent clever hackers from managing to duplicate their content. In addition, Finally, material constraints. However, The programming difficulty. Similarly, the colossal performance losses of SGX led to the death of the extension, which so what vbs, option makes is now only present on the servers; But the principle of a “secure enclave” separated from the bone, that is to say from a different mode of the nucleus mode, simplified and more difficult to attack, has remained.

The attacks (in oranges) from the nucleus. Therefore, the lower software layers do not reach the SGX enclaves, because the latter discuss directly with the equipment, and this in an encrypted manner.

By rummaging in its boxes (and breaking on the academic sphere). Similarly, Microsoft has found another way to ensure a partitioning between nucleus (supposed compromise, remember) and so what vbs, option makes critical applications: the virtualisation. For example, Basically, this technology accelerates the nested execution of one operating system in another, which is called Machine virtual (abridged VM). Similarly, You can then get a Windows 7 in a Windows 11. Nevertheless, a Linux in a windows, or even a Windows 11 in a Windows 11 if the heart tells you. For example, Virtualization software is called hypervisorsand the most classic are VirtualBox, VMWare or even … Moreover, Hyper-Vprecisely developed by Microsoft – and which is already at work in stealth mode in WSL2.

A logical view of the Schmilblick: the hyper-V hypervisor runs on a host host and controls 3 VM: a Linux, so what vbs, option makes a Windows 7 and a WSL2.

In practice. 100 % software virtualization is very slow, which is why X86 extensions were quickly added to accelerate the thing: Intel VT-x/VT-d et AMD-V/AMD-VI. Among the additions, the latter offer a second table table mechanism. Kesako? In the normal case. the pages table is the data structure allowing your applications to stay separate from each other, thus avoiding a browser crash does not plan your word processor software, or your game (as was the case under Mac OS 9 for example).

This table of the pages is used in a translation stage between an address called virtual (an arbitrary number given. by the OS) has a so -called physical address (a number corresponding exactly to the location of data in RAM). In normal use. each program has its own pages table, so it is impossible for an application to go and hit the neighbor’s (physical) so what vbs, option makes memory: no translation of its virtual addressing even.

The simple case: Windows manages a table of the pages, which is used to translate the addresses.

In the case of virtualization. the second table of pages plays a similar role, but a lower level: where the bone virtual Think of manipulating physical addresses, these are still virtual addresses, the real location of which is managed by the hypervisor. This step is the SLATsignifier Second Level Address Translationor “double translation” in English. For the same reasons of nonexistent correspondence. it is impossible for virtual machines to share a memory area without agreement of the host: perfect for safety … But not for performance: to go from a so what vbs, option makes virtual address of a VM to the real physical address. it is then necessary to carry out a double translation, which finds itself being up to 4 more expensive in performance in cases the worst. Ouille! Fortunately. a recent translations cache exists, the TLB, which makes it possible to mask most of the cost of translation – a single as double.

The complex case: Windows (virtual) translates its addresses, which are still translated by another table of the pages, this time managed by Hyper-V.

Let’s go back to our story of safety. enclave: to do without SGX through virtualization, the Raymonde has only to run Windows also virtualized, and provide on request a so what vbs, option makes third zone, more controlled, secure and honest. Pouf, this is the technology VBS: Virtualization-Base Security. The advantage is twofold: on the one hand. isolate the secure enclave, and on the other hand, limit the size of the software turning in non-virtualized mode: only hyper-v turns in native mode, everything else is partitioned in VM. In the jargon. the second table of pages is called Slat, Windows mode is VTL0 (Virtual Trust Level 0) and the secure virtual machine runs in the “Isolated user mode” (IUM) in VTL1. It also allows you to isolate unknown drivers to limit their access to the Noyal: it is therefore not. surprising to find guides to deactivate VBS on … the support pages of Valuing. All this enters the movement aimed at reducing access to the Kernel on the part of the modules. and at the same time limit accidents of Crowdstrike type.

In practice, what does it give? Well. programmers can use an API directly supplied by Microsoft to deport part of the execution of their code in this IUM mode, in practice by means of a deported DLL in the enclave. To ensure that this library is not changed. a limited number of Microsoft partners are given encryption keys Use to sign the code: the hypervisor verifies that nothing has been changed, and the chain of confidence is completed. Technology is also already active on a number of Windows components such as user authentication and group policies. Perfect !

Or almost. On the so what vbs, option makes one hand. since even if the double table of pages induces material protection, the latter is not infallible and we already relay, a year earlier, a vulnerability allowing to go beyond protection in order to return to a previous, vulnerable, system. In addition. a company specializing in computer attacks also detailed a (relatively) complete guide explaining the functioning of the thing, and the various possible abuses. On the other hand. as we explained to you, this double translation has a cost at the CPU level – the GPU being, fortunately, spared. Each memory access to a new area (understand. an area whose translation is not yet in the TLB) is found considerably slowed down; Which is a disaster in applications with ram rand access …. enough to explain the slowdowns. If you ever want to test the thing for yourself. then you will have to tripatouille PowerShell, and deactivate the so what vbs, option makes Insulation of the kernel/integrity memory of memory Windows Defender. In this case. it is better to become paranoid and avoid using the machine for any sensitive operation: you are warned.

On the equipment side. it is difficult to find a solution to this puzzle-the virtualization existing for a while, and its costs are already well studied. On the other hand. new hardware extensions could find an intermediary between SGX and virtualization, why not using a technology of the Intel TME type, and carrying out a heavy encryption than SGX, while remaining under the radars of the bone? Patience patience, let the Raymonde time to clutter its breaches before putting a new project into production.