Help Center

Elastic Cloud Server

Product Overview
User Guide
Beginner's Guide
Subscription Guide
Quick Start
ECS Instance
Monitoring the Cloud Server
Best Practices
Troubleshooting
FAQs
Agreements

Hypervisor Security

2026-03-24 01:20:33

Hypervisor

Hypervisor is a type of software that runs on a physical machine, enabling the creation, operation, and management of multiple virtual machines on a single physical machine. Hypervisor abstracts and centrally manages the underlying physical computing resources (such as CPU and memory) according to need, and allocates resources to each VM as required. The Hypervisor achieves resource isolation between different VMs on the same physical machine, preventing data theft or malicious attacks, while also ensuring that the resource usage of a VM is not affected by surrounding VMs. When users utilize VMs, they can only access the resources (such as hardware, software, and data) of their own VMs and cannot access the resources of other VMs, ensuring data isolation and security of the VMs.

Isolated CPU

CPU virtualization is the most core part of the Hypervisor, and both memory virtualization and I/O virtualization depend on the correct implementation of CPU virtualization.

In the x86 architecture, to protect the execution of instructions, four different privilege levels for instructions are provided, which are collectively referred to as Rings. The priority, from highest to lowest, is as follows:

Ring 0: The highest privilege level, used for running the operating system kernel.

Ring 1: Used for operating system services.

Ring 2: Used for operating system services.

Ring 3: Used for applications.

The Hypervisor runs at the highest privilege level, allowing it to control all critical resources on the physical processor; whereas the VM operating system runs at a non-highest privilege level, so its sensitive instructions for accessing physical resources will trap into the Hypervisor to be emulated through software. By intercepting and emulating the sensitive instructions of the VM, the Hypervisor achieves isolation of the VM's vCPU, effectively preventing malicious attacks on the physical machine or other VMs by unauthorized VMs.

Memory Isolation

The Hypervisor uses memory virtualization technology to achieve memory isolation between different VMs, ensuring that each VM has its own independent memory space without mutual interference.

Compared to the traditional two-level memory address mapping of the OS (from virtual address to physical machine address), the core of memory virtualization lies in introducing a new layer of address space, known as the Guest Physical address space. The Hypervisor manages and allocates physical memory for each VM. The operating system within the VM sees a fictionalized Guest Physical address space, and the target addresses of its instructions are also Guest Physical addresses. In a non-virtualized scenario, such addresses are actually the real physical addresses. However, in a virtualized environment, these addresses cannot be directly sent to the system bus and must be properly translated before they can be executed by the physical processor. When a VM accesses memory, the correct three-tier address translation logic is: the VM is responsible for mapping "Guest Virtual Addresses" to "Guest Physical Addresses," and then the Hypervisor is responsible for mapping "Guest Physical Addresses" to "Machine Addresses."

The Hypervisor's address translation mechanism ensures that VMs cannot directly access the actual machine addresses and can only access the physical memory allocated to them by the Hypervisor.

I/O Isolation

The physical machine's peripheral resources are limited. To meet the needs of multiple VM operating systems, the Hypervisor reuses the limited peripheral resources through I/O virtualization. The Hypervisor intercepts the VM operating system's access requests to devices and then simulates the effects of real devices through software. From the perspective of the processor, peripherals are accessed through a set of I/O resources (I/O ports or MMIO), hence device-related virtualization is also known as I/O virtualization.

The Hypervisor achieves I/O virtualization using a separated device model. The front end is responsible for passing the VM's I/O requests to the back end in the Hypervisor, where the back end parses the I/O requests and submits them to the appropriate device to complete the I/O operations. The Hypervisor ensures that VMs can only access the I/O resources allocated to them.


The previous article -  Data Protection Technology
The next article -  User Encryption
.qCFZNJIjXCJ