Virtualization is all about consolidation, which in many ways is a fancy term for "putting all your eggs in one basket". For security types, this can keep you awake at night. Brandon very astutely comments that "a compromise of the hypervisor means a complete compromise of the whole machine. All VMs owned. Game over." This means that the hypervisor layer must be as secure as possible. Appliance secure, to put it bluntly.

Brandon continues:

In the development of Hyper-V, we spent a lot of time validating all of the points through which a VM can send data out to the host. I've personally enumerated every single one of these throughout our threat modeling. I have a diagram outside my office showing all of the channels, or data flows, from a VM to the hypervisor. This includes all of the intercepts, hypercalls, instruction completion points, synthetic interrupts, memory reads and writes, and page table accesses we do. With each data flow represented as a line, it sort of looks like a giant squid. Someone even drew a toothy grin on the circle that represents the hypervisor. In each of these data flows we have to be concerned about a flaw in parsing VM data that could lead to a compromise of the system. To be crystal clear - a compromise of the hypervisor means a complete compromise of the whole machine. All VMs owned. Game over. So we really, really care a great deal about all of these channels. We want as few channels as reasonably possible, and we want the code behind each of these channels to be as simple as possible. I firmly believe that complexity is the enemy of security, and virtualization is one place that already has enough complexity. Fortunately, our hypervisor is small, around 600kB, and will only get smaller as time goes by and more of what it does gets done by hardware. So the assurance we can give our customers is that the software on the end of those channels is owned by us, has been vetted by us and by other security professionals, and we own fixing any flaws found as quickly as possible.

Hyper-V's delay could be interpreted as Microsoft overreaching on planned deployment dates, or it could be interpreted as "Microsoft wants to ensure that we get this thing right, straight out of the gate." I tend to believe the latter. With the slow adoption of Vista, Microsoft will have a very hard time if Hyper-V sees security problems at the get-go.

Remember too that these are problems at a level that we as administrators are never going to see. The only exposure we'll have to issues that occur at this level is when we need to apply patches. This, in effect, means that our only possible exposure will always be a negative one. So, Microsoft needs to be doubly sure that Hyper-V's hypervisor layer is a set-it-and-forget-it technology.

Read the full post at: http://blogs.msdn.com/rsa2008/archive/2008/04/07/isolation-of-virtual-machines.aspx