[SOLVED] How is Type 1 hypervisor more secure than Type-2?

[ikernelpro4]

Every article online (most are terrible AI compilations) lists Type 1 as more secure vs Type2 Hypervisor.

Type 1 is bare metal, Type 2 runs ontop of the Host OS <- Correct? Then let's continue:

If the code of type 1 runs on the cpu/bare metal without a middle man, then I don't see how type 1 is more secure.
If anything it must be less secure since the code / instructions execute on the CPU unchecked / more freely than if you had some form of host OS middle layer where checks and limitations could be implemented.

Basically I don't see how advanced malware that is capable of exploiting type 2 hypervisors would be unable to be as malicious with type 1.

I am not very knowledgeable in VMs, I try to look things (such as this up) but the search results are absolutely horrendous and barely go in-depth with details or knowledge).

 

[kanewolf]

Every article online (most are terrible AI compilations) lists Type 1 as more secure vs Type2 Hypervisor.

Type 1 is bare metal, Type 2 runs ontop of the Host OS <- Correct? Then let's continue:

If the code of type 1 runs on the cpu/bare metal without a middle man, then I don't see how type 1 is more secure.
If anything it must be less secure since the code / instructions execute on the CPU unchecked / more freely than if you had some form of host OS middle layer where checks and limitations could be implemented.

Basically I don't see how advanced malware that is capable of exploiting type 2 hypervisors would be unable to be as malicious with type 1.

I am not very knowledgeable in VMs, I try to look things (such as this up) but the search results are absolutely horrendous and barely go in-depth with details or knowledge).

Without a full OS the code size of the hypervisor can be better patched, tested and scrutinized. All those things make it more secure. A single VM could be compromised, but the entire host is harder to attack.

 

[Colif]

Type 2 hypervisors are essentially treated as applications because they install on top of a server's OS, and are thus subject to any vulnerability that might exist in the underlying OS. A missed patch or update could expose the OS, hypervisor and VMs to attack.
Type 2 hypervisors also require a means to share folders, clipboards and other user information between the host and guest OSes. Sharing data increases the risk of hacking and spreading malicious code, so VMs demand a certain level of trust from Type 2 hypervisors.

https://www.techtarget.com/searchit...ity-tactics-for-Type-1-and-Type-2-hypervisors

 

[USAFRet]

Malware can often detect when it is within a VM, and hide itself.

The human or the Host antivirus may assume - "Oh, that file is safe"
Yeah, no so much....

 

[ikernelpro4]

https://www.techtarget.com/searchit...ity-tactics-for-Type-1-and-Type-2-hypervisors

That was quite literally the last article I read before posting this.
It doesn't really go in-depth other than what is already known: Type 2 provides (doesn't mean everyone uses them) additionally exploitable host-guest services, type 2 guest is on top of host so an outbreak is lethal for the host, type 1 smaller in size etc.

What about malicious code running "bare metal"?

 

[Colif]

none of them really go into detail - https://www.ibm.com/cloud/learn/hypervisors

You could watch a 53 minute video on the difference but that might be too much info

 

[kanewolf]

That was quite literally the last article I read before posting this.
It doesn't really go in-depth other than what is already known: Type 2 provides (doesn't mean everyone uses them) additionally exploitable host-guest services, type 2 guest is on top of host so an outbreak is lethal for the host, type 1 smaller in size etc.

What about malicious code running "bare metal"?

How does malicious code run on bare metal? Does it replace the hypervisor? Is it a user error to start this code rather than the hypervisor?
Or are you asking about a cloud provisioning that provisions a bare metal host for a tennant?

 

[hotaru.hino]

If the code of type 1 runs on the cpu/bare metal without a middle man, then I don't see how type 1 is more secure.
If anything it must be less secure since the code / instructions execute on the CPU unchecked / more freely than if you had some form of host OS middle layer where checks and limitations could be implemented.

Basically I don't see how advanced malware that is capable of exploiting type 2 hypervisors would be unable to be as malicious with type 1.

A type 1 hypervisor is essentially a specialized OS who's only job is to start up virtual machines. It doesn't do anything else. Since it's specialized software designed to do one thing, it has less code, which not only means it has less of an attack surface to exploit, but it's easier to maintain because there's not much going on compared to a full featured OS. However, this doesn't mean that a type 1 hypervisor can still implement basic OS features such as memory protection and permissions. In fact, in the protection ring schema, there exists a "Ring -1" level for the type 1 hypervisor to use.

This sort of thing happens with server versions of an OS. They ship with only what's needed to do the job, because the fewer things you have, the fewer things malware can try to use.

Malware that targets a full featured OS may also be using hooks that the type 1 hypervisor doesn't implement. It's the same reason why malware that targets Windows doesn't affect Linux: they don't use the same hooks for an application to run and do things.

What about malicious code running "bare metal"?

If the malicious code is already running and has admin access, then you're pretty much screwed anyway. "More secure" doesn't mean "malicious code can't ever run." It only means the chances of it happening are lower.

Nothing in security is 100%.

 

[alceryes]

That was quite literally the last article I read before posting this.
It doesn't really go in-depth other than what is already known: Type 2 provides (doesn't mean everyone uses them) additionally exploitable host-guest services, type 2 guest is on top of host so an outbreak is lethal for the host, type 1 smaller in size etc.

What about malicious code running "bare metal"?

It is possible, yes, but much less likely due to a smaller attack surface and security hardening built into all type 1 hypervisors.

Most type 1 hypervisors are based on (or have parts of) UNIX/Linux. This alone makes them more secure than MS Windows. These lightweight, baremetal systems are purpose-built, from the ground up, to be more secure. Hyper-V core is much more secure than Windows Server with Hyper-V installed because it's not running 'explorer' or the dozen plus other services required for a full desktop GUI environment. This means that there's less 'attack surface' for bad actors to fund vulerabilities in.

 

[alceryes]

How does malicious code run on bare metal? Does it replace the hypervisor? Is it a user error to start this code rather than the hypervisor?
Or are you asking about a cloud provisioning that provisions a bare metal host for a tennant?

It is possible to get to the bare metal system with malicious apps using apps like VMware Tools or running their own code to get to the host server. Just like when you open up Putty and SSH to your VM host. It's definitely not easy though.

 

[hotaru.hino]

In addition to the above, supply chain attacks are a thing.

 

[kanewolf]

It is possible to get to the bare metal system with malicious apps using apps like VMware Tools or running their own code to get to the host server. Just like when you open up Putty and SSH to your VM host. It's definitely not easy though.

If you are a root user on the bare metal, then you can do anything. If you are user in a VM, then you are pretty isolated from the bare metal. You don't even know there is a bare metal host under your VM. It is really a question of what you already have privileges for.

 

[hotaru.hino]

https://en.m.wikipedia.org/wiki/Virtual_machine_escape

Exploits have existed that allowed malware to escape the VM. And VMs likely have a bunch of fingerprints that make it obvious it's a VM.

 

[alceryes]

If you are a root user on the bare metal, then you can do anything. If you are user in a VM, then you are pretty isolated from the bare metal.

True.

You don't even know there is a bare metal host under your VM.

Not true. As @hotaru.hino said, all modern OSs know when they are on a virtual machine host as this information isn't 'hidden' from the VM. It would be trivial for malicious code to know this too.

It is really a question of what you already have privileges for.

True. Getting back to the OPs Q, bare metal hypervisors are purposely security hardened. Finding exploitable vulnerabilities that grant some type of system-level or root access is extremely difficult, by design, whether from inside a VM running on that host, from a CLI login, or from a host client software (without root access, of course).