Virtualbox does not support HVCI/Memory Integrity for Windows 10 Host

[CKing123]

Virtualbox does not support HVCI/Memory Integrity (which requires drivers to be W^X, see this post: https://docs.microsoft.com/en-us/window ... iness-tool )

How to reproduce:
Open Windows Security (or Windows Defender in older versions of Windows 10
Go to Device Security
Go to Core isolation details
Try turning on Memory Isolation

You will get this: in the Action Center

So how did I isolate it to Virtualbox? I used the DGReadiness tool (despite the reference to Device Guard, Device Guard also requires HVCI/Memory Integrity): https://www.microsoft.com/en-us/downloa ... x?id=53337

I got this as a result:

Code: Select all

Incompatible HVCI Kernel Driver Modules found

Module: vboxnetlwf.sys
	Reason: execute pool type count:                2
Module: vboxdrv.sys
	Reason: execute pool type count:                2
Module: vboxnetadp6.sys
	Reason: execute pool type count:                2

Now, HVCI/Memory Integrity requires all drivers to be compatible for it to be used. New installations of Windows 10 since 2018 (build 1803) have this enabled out of the box (this does not apply to upgraded versions of Windows from before 1803) and newer devices that are Secure Core have this enabled by default. If a driver is not compatible, Windows 10 can usually disable it but HVCI can also have a UEFI lock (to prevent malware from just disabling it), so it's best to support HVCI even if Windows 10 can disable Core Isolation for now if a driver is not compatible.

In addition, looking at the PE headers for these drivers:

VBoxNetLwf.sys:

FileName : C:\Windows\system32\drivers\VBoxNetLwf.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False

vboxdrv.sys

FileName : C:\Windows\system32\drivers\vboxdrv.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False

vboxnetadp6.sys:

FileName : C:\Windows\system32\drivers\vboxnetadp6.sys
ARCH : AMD64
DotNET : False
ASLR : False
DEP : False
Authenticode : True
StrongNaming : N/A
SafeSEH : N/A
ControlFlowGuard : False
HighentropyVA : False

This is disappointing that Virtualbox does not employ many of the anti-exploitation technologies as it can reduce the chances of VM excape even when an attacker uses a vulnerability. That said, these technologies (ASLR, DEP, ControlFlowGuard and HighentropyVA) can be used piecemeal (as in not all drivers need to use it to get the benefit from drivers that do use it). However, for HVCI, all drivers need to be compatible for it to work

[mpack]

If you want an app to make use of some Windows-only technologies, then perhaps don't choose a cross platform app?

Many of the technologies you mention implicitly enable VT-x/AMD-v for the Windows host to use, these are the very same CPU functions that VirtualBox wants to use, and Win10 is not good at sharing. Making VirtualBox compatible with such things is a work in progress, perhaps it will be completed some time. In the meantime the best results are obtained by disabling all host OS use of CPU virtualization features. See FAQ, especially posts #2 and later. FAQ: I have a 64bit host, but can't install 64bit guests.

Moving this topic to "Windows Hosts", IMO it's too WinCentric to belong in "Suggestions".

[CKing123]

Thanks for the reply.

If you want an app to make use of some Windows-only technologies, then perhaps don't choose a cross platform app?

While that is true, a cross-platform app shouldn't require disabling a security feature to work. That said I agree that WHP is in flux, with Virtualbox targeting 1809 while VMware targets 2004. Similarly, on macOS, Apple has started deprecating KEXTs and in response, Virtualbox has moved to userspace Hypervisor.framework as well. That said, I am willing to wait on that support first, but if it is moving to Microsoft's userspace WHP, then either the main virtualization driver can be removed and the networking driver can be updated to support HVCI, or both could support HVCI.

[adrelanos]

Fixed in VirtualBox version 6.1.32 and above?

Quote https://www.virtualbox.org/wiki/Changelog

VMM: Changed the guest RAM management when using Hyper-V to be more compatible with HVCI (bug #20627 and #20694)

https://www.virtualbox.org/ticket/20627

https://www.virtualbox.org/ticket/20694

[mpack]

I wouldn't like to call it "fixed". VirtualBox and Hyper-v are competing for the same resources. VirtualBox can be made to fall back on secondary methods when the primary ones are not available, and making that as good as possible is the "work in progress" mentioned above, but still I've never heard of anyone being delighted with the performance.