Inferensys

Glossary

Virtualization-Based Security (VBS)

A hardware virtualization feature that creates an isolated region of memory for storing sensitive security assets, protecting them from malware running in the normal operating system.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
HARDWARE-ENFORCED ISOLATION

What is Virtualization-Based Security (VBS)?

Virtualization-Based Security (VBS) is a hardware-backed security feature that leverages hypervisor technology to create an isolated, protected region of system memory, safeguarding critical security assets from malware operating within the normal OS kernel.

Virtualization-Based Security (VBS) uses hardware virtualization extensions to logically separate a secure, isolated memory enclave—often called Virtual Secure Mode (VSM)—from the standard Windows operating system. This architectural boundary ensures that even if the primary OS kernel is fully compromised by a kernel-mode rootkit, the attacker cannot access or tamper with sensitive security resources stored in the isolated region, such as credential hashes or code integrity policies.

By enforcing this hardware-level isolation, VBS enables critical security subsystems like Credential Guard and Hypervisor-Enforced Code Integrity (HVCI). Credential Guard protects domain-derived credentials by storing them in the isolated VSM, preventing tools like Mimikatz from extracting them via Pass-the-Hash techniques. HVCI ensures that only trusted, signed kernel-mode drivers can execute, significantly raising the bar for driver-based rootkits and supply chain attacks.

HARDWARE-ROOTED SECURITY

Key Features of VBS

Virtualization-Based Security (VBS) leverages hardware hypervisor extensions to create a logically isolated execution environment, protecting critical system assets from kernel-mode malware.

01

Virtual Secure Mode (VSM)

A high-privilege execution environment created by the hypervisor that runs alongside the normal Windows OS. VSM establishes a separate virtual trust level (VTL) where sensitive security assets like credentials and tokens are stored. Code running in the normal OS, even with kernel privileges, cannot read or write to VSM memory because the hypervisor enforces strict memory access controls at the hardware level. This isolation is enforced by the Second Level Address Translation (SLAT) capabilities of modern CPUs.

VTL 1
Secure World Privilege Level
VTL 0
Normal OS Privilege Level
03

Hypervisor-Enforced Code Integrity (HVCI)

Also known as Memory Integrity, HVCI runs the kernel-mode code integrity verification process inside VSM. It ensures that all kernel-mode drivers and binaries are signed by validated authorities before they are allowed to execute. By moving this check to VTL 1, HVCI prevents kernel-mode malware from tampering with the code integrity policy itself. This blocks unsigned driver loading, kernel rootkits, and code injection into protected kernel memory pages.

04

Hardware Root of Trust

VBS relies on hardware virtualization extensions including Intel VT-x/EPT, AMD-V/RVI, and ARM VHE to enforce isolation. The hypervisor acts as the highest-privilege arbiter, using SLAT tables to map memory access permissions between VTLs. This hardware-enforced boundary means that no software vulnerability in the normal OS can bypass VBS protections. The trust boundary is rooted in the CPU silicon itself, not in a software abstraction layer.

05

Application Guard

Extends VBS isolation to the application layer by running Microsoft Edge and Microsoft Office in a hardware-isolated container. Untrusted documents and websites execute inside a disposable, micro-virtual machine that has no access to the host OS, local storage, or corporate network resources. If malware executes within the container, it cannot persist or pivot. The container is destroyed when the session ends, providing network-level isolation for high-risk content.

06

Secure Launch with DRTM

VBS integrates with Dynamic Root of Trust for Measurement (DRTM) to establish a cryptographically verified boot chain. Using CPU instructions like Intel TXT or AMD SKINIT, the system can reset to a known secure state at any time without a full reboot. This late-launch capability measures the VBS hypervisor and VSM environment into TPM Platform Configuration Registers (PCRs), enabling remote attestation that the VBS environment is intact before releasing secrets.

VBS SECURITY PRIMER

Frequently Asked Questions

Explore the core mechanisms of Virtualization-Based Security (VBS), a critical hardware-enforced isolation technology that protects high-value credentials and kernel integrity from modern malware.

Virtualization-Based Security (VBS) is a hardware-enforced security feature that leverages hypervisor technology to create an isolated, protected region of memory called the Virtual Secure Mode (VSM). This secure memory enclave operates completely separate from the normal Windows operating system, preventing malware running with kernel-level privileges from accessing sensitive security assets. VBS works by using Second Level Address Translation (SLAT) and I/O Memory Management Unit (IOMMU) to enforce strict memory boundaries, ensuring that even if the primary OS is fully compromised, the isolated vault remains inaccessible to attackers.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.