VBS Enclaves represent the latest effort by Microsoft to leverage virtualization for enhancing Windows security by compartmentalizing essential functions within encrypted virtual machines utilizing the low-level Krypton hypervisor.
Krypton plays a crucial role in modern Windows, enabling virtual machines and the host operating system to share a scheduler. This capability allows components such as Windows login to operate independently from the broader OS. Consequently, these functions are safeguarded, ensuring that sensitive information such as passwords and biometric data remains protected from malware that may be active in the host Windows environment.
At the heart of much of Windows 11’s hardware security is Krypton, which collaborates with your PC’s trusted platform modules (TPM) to oversee encryption keys, digital signatures, and verification hashes. It’s essentially a mechanism to drastically lessen the chances of sensitive information being compromised on your PC while also minimizing the threat of malware corrupting what are typically trusted Windows functions.
Microsoft has recognized the importance of virtualization-based security for an extended period, tracing back to Windows Server 2016 and the launch of Secure Windows containers. While Windows offered support for Docker and other container-based application isolation tools, the implementation was not without its flaws.
Secure Windows containers combine the functionalities of containers and Hyper-V’s security features to provide greater isolation. By hosting secure containers within a virtual machine instead of directly on the host operating system, this method introduces some overhead due to the additional operating system required for the application containers. However, with advancements like Nano Server and Windows Server Core, this overhead has been minimized, and recent updates have significantly reduced the sizes of server images.
Over time, Microsoft integrated this approach with Trusted Platform Module (TPM) capabilities to enhance the security of Windows, ultimately implementing it in Windows 11. This is the reason why Windows 11 mandates hardware that supports TPM 2.0.
The TPM securely stores the keys and certificates necessary for managing digital signatures, enabling tools like the Windows memory integrity service to operate within a fortified virtualized environment. This is achieved through Hyper-V-secured VMs running on the Krypton hypervisor. With memory integrity in place, kernel-mode drivers and binaries undergo validity checks for their signatures before execution, blocking any unsigned code that could jeopardize your computer’s security.
Recently, Microsoft has expanded its virtualization-based security framework to include what it refers to as VBS Enclaves. If you have explored confidential computing implementations on Windows Server or within Azure, you would recognize the concept of enclaves, which utilizes Intel’s SGX instruction set to secure memory segments, creating a trusted execution environment. This method necessitates specific processor types, as the latest version of SGX is confined to enterprise-grade Xeon hardware.
VBS Enclaves provide a method for securing memory without the need for specialized hardware. This capability enables Microsoft to implement secure enclaves on various platforms including Intel, AMD, and Arm hardware. Consequently, Recall will function solely within a trusted memory space controlled by the Krypton hypervisor, utilizing your PC’s TPM for encryption key management and ensuring user presence via Windows Hello.
Implementing a trusted execution environment on a PC serves purposes beyond just AI security. It safeguards sensitive information, introducing a layer of protection that encompasses not just data at rest and in transit, but also data in use. Although establishing and utilizing a VBS Enclave demands additional effort, the enhanced security it provides, with minimal performance degradation, is worthwhile.
With the memory integrity features in Windows 11, a VBS Enclave harnesses the built-in hypervisor of Windows to create a distinct, isolated area of system memory known as Virtual Trust Level 1 (VTL 1). Most of your code—and the Windows operating system itself—will operate at Virtual Trust Level 0 (VTL 0). VTL 1 is utilized by a secure iteration of the Windows kernel, which has a separate user mode. This is where your VBS Enclave operates, as a component of an application that seems to bridge the two zones. In actuality, you are isolating the VTL 1 enclave and utilizing secure channels for communication with it from the rest of your application running in VTL 0.
So, how can you create and implement VBS Enclaves? First, ensure you have Windows 11 or Windows Server 2019 or a later version, with VBS enabled. This can be achieved through the Windows security tool, via Group Policy, or using Intune to manage it through MDM. It’s part of the Memory Integrity service, and it is advisable to enable it on all compatible devices to mitigate security risks, even if you do not intend to incorporate VBS Enclaves in your applications.
One effective way to view this technology is as a method of securely utilizing encrypted storage. For instance, if you’re working with a database to handle sensitive information, you can utilize code operating within an enclave to process and access that data, with results being relayed to the broader application. This approach encapsulates the data in a secure setting with restricted access permissions. Other components of the system cannot access the decryption keys, ensuring that the data at rest remains secure.
In the VTL 1 environment, any code must be signed by Microsoft, involving an OS-level transition between the two trust zones that resets CPU registers to mitigate the risk of transferring state information between less secure user modes and your VBS Enclave. Naturally, employing a VBS Enclave incurs a higher computational cost, resulting in longer execution times (though still only taking microseconds).
VBS Enclaves operate as DLLs and require a host application to function. There’s a limitation to a specific subset of Windows system-level C++ APIs, with a compilation of available Universal C Runtime APIs detailed in the development documentation. Additional APIs are supported in the VBS Enclave Runtime (Vertdll) and the Bcrypt cryptographic library.
Microsoft offers a helpful sample application designed to demonstrate the lifecycle of a VBS Enclave application, showcasing how to invoke enclave functions from the host application. External functions must be deliberately exported, and only those designated functions can be accessed by the host. Compiling an enclave necessitates particular configurations in the linker to ensure that appropriate libraries are utilized and that the resulting DLL is properly instrumented. Additional security features are also in place to protect the VBS Enclave from attacks stemming from forged platform DLLs.
After compiling your code, it is essential to ensure it is signed. For a VBS Enclave signature, there are three specific Extended Key Usages (EKUs) required: one for code signing, one for the enclave itself, and one for the authoring entity. In a production environment, you can leverage Microsoft’s Trusted Signing service, which provides a specific profile designed for signing enclaves. This method enables automated signing processes using the Azure CLI.
When developing code that interacts with VBS Enclaves, there are several critical considerations. Any application operating on the host PC can load these enclaves, so it’s vital that the code within the enclave clearly identifies anything from outside the enclave as untrusted.
The same underlying technology powers the Always Encrypted feature in Azure SQL and SQL Server. This mechanism guarantees that sensitive data is accessible only to authorized users. T-SQL operations have the capability to traverse the secure enclave boundary by utilizing confidential queries over an internal TLS connection. All operations occur within the enclave, ensuring that the original data remains encrypted.
VBS Enclaves inherently possess complexity and come with considerable restrictions compared to standard DLLs. Without these limitations, their security would mirror that of a typical DLL. However, by enforcing strict code confinement at the library and header levels to operate within a trusted execution environment, you substantially mitigate the risk of data leakage, whether intentional or inadvertent.
While it might take slightly more time and demand additional system resources, prioritizing security is a crucial consideration when handling sensitive data. Utilizing VBS Enclaves along with encrypted storage is vital in scenarios involving personally identifiable information. This applies especially when managing user data such as vector-indexed Recall histories, payment details, or medical records.
Whenever there is a potential risk linked to data, it’s essential to have a strong rationale against employing this technology. For any sensitive information, relying on VBS Enclaves should be regarded as the standard approach.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
