Why can hardware assisted virtualization be a security issue?

My research suggests that you have misinterpreted the meaning of the setting, e.g., see this thread.

Avast is capable of using hardware-assisted virtualization to provide better anti-virus protection. However, because this can cause compatibility issues with other software, an option is provided to disable this functionality.

That is, if you turn off the "Enable hardware assisted virtualization" you are not telling Avast to disable hardware virtualization on the PC; rather, you are telling Avast not make use of the hardware virtualization functionality itself.


In theory, hardware-assisted virtualization can make hypervisor-based rootkits possible. However, this type of malware already requires extremely high privileges and is not a particular threat. Furthermore, hardware-assisted virtualization can be used by Windows to supplement its sandbox for added security. It's not a security issue so much as a feature optionally used by one theoretical kind of malware.

A hypervisor is software which is able to run a virtual operating system underneath it. The hypervisor, in other words, pretends to be real hardware so the operating system running under it doesn't need to be aware of this fact. Hardware-assisted virtualization (called VT-x for Intel and AMD-V for AMD) is simply a CPU feature that allows hypervisors to run at native performance, as if the hypervisor wasn't there.

You will not improve security by disabling hardware-assisted virtualization. Because it requires such high privileges to use in the first place, any malware that is able to use it is already able to bypass any restrictions you set. As such, Avast's option to disable this feature provides no additional security, and might actually decrease security by preventing Windows from using it in its HyperV-based sandbox.


VT can be an issue, because of improper guest-isolation, where data from one VM can leak to another VM. See L1TF - L1 Terminal Fault for affected CPU and possible migitation approaches. While those containers are all under your control, the attack vector is rather theoretical.

But one certainly cannot disable VT from within the OS. Avast AntiVirus may have it's own sand-boxed container, which may either run hardware-accelerated or not. This likely affects it's startup speed and also the resource utilization, but it has no direct security implications. Searches alike site:forum.avast.com virtualization hint for possible interference with other VM. Therefore, while there is no interference with other virtual machines (depending which type of hyper-visor they use) and VTx is enabled in the BIOS, one should enable hardware-acceleration for Avast. This setting is generally all about using a type I vs. a type II hyper-visor for that sand-boxed container.

Tags:

Virtualization

Related

How to deal with a company that doesn't fix (potential) security vulnerabilities in their web app? What is the impact of leaked recaptcha secret key? How can I find a SHA-256 hash with a given suffix using hashcat? How are short passwords not safe if you limit the number of attempts? Why is the OS obfuscation defense against "It's a Unix system!" not widely implemented? Security implication if android app can be installed on emulator Would first encrypting a password make slow hashing algorithms unnecessary? Secure Implementation of Password Database Will the same JavaScript fetched by HTTP and HTTPS be cached separately by the browser? Is it possible to mac-spoof Xfinity Wireless? The maximum size of a file that I can encrypt with a specific key size URL parameter manipulation and injection

Recent Posts