everythingpossible - Fotolia


Understanding VMware ESXi hypervisor security features

The VMware ESXi hypervisor, particularly its kernel, offer several security features vital to a secure VMware cloud environment. Virtualization expert Paul Henry reviews the different levels of ESXi security.

No one can dispute that VMware Inc. offers one of the most feature-rich virtualization platforms available today....

It also provides a large number of security features that, when enabled, can raise the bar for security within a virtual environment.

There are several security features available within the VMware platform that are worth exploring. In this tip, we will focus on the VMware ESXi hypervisor.

ESXi is not Linux

In the simplest terms, the VMware ESXi hypervisor provides the interface for the guest virtual machines (VMs) to the underlying host CPU, input/output and memory. Before getting into security details, it's important to understand that "ESXi is Linux" is a myth.

Part of the confusion is that back in the days of ESX, VMware used Red Hat Linux to boot itself and for management functionality (shell access). Today's ESXi hypervisor kernel, unlike ESX, boots independently and directly on the hardware without any assistance from Linux. ESXi is similar to Linux but is not exactly Linux. It is a purpose-built, embedded and proprietary kernel called the VMkernel. Access to the kernel can be provided through an API like PowerCLI or -- if enabled -- through shell access using a Busybox shell. The Busybox shell for the ESXi console runs as a UserWorld application. ESXi has its own VMware kernel and does not use a Busybox kernel.

The VMware ESXi kernel only supports the guest VMs that run on it. This effectively reduces its threat envelope when compared to typical Linux distributions that support many additional general-purpose functions. Beyond the risk reduction of being a dedicated-purpose kernel, VMware ESXi also made available three additional very important kernel-level protections:

Today's ESXi hypervisor kernel, unlike ESX, boots independently and directly on the hardware without any assistance from Linux.

1. Memory hardening

2. Kernel module integrity

3. Trusted Execution Technology (TXT) and Trusted Platform Module (TPM)

We'll discuss each of these in detail below.

Memory hardening

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

For additional memory hardening, VMware ESXi also supports the use of the CPU Never eXecute bit (NX) or eXecute Disable bit (XD) available in modern processors. Support of this CPU feature allows VMware ESXi to effectively mark certain areas of memory as non-executable. When a page of memory is marked non-executable, the processor will refuse to execute any code that exists in that area of memory. Support of the NX or XD CPU feature by VMware in ESXi reduces the risk of both traditional malware and buffer overflows directly impacting the VMware kernel. To take advantage of this capability, verify that the NX or XD option is enabled in BIOS. It can typically be found under the BIOS security settings.

Kernel module integrity

As an additional layer of security, VMware ESXi hypervisor uses digital signatures to ensure the integrity and authenticity of modules, drivers and applications as they are being loaded by the VMkernel. The use of these digital signatures enables ESXi to identify the providers of modules, drivers or applications and whether they are VMware-certified. Malicious rogue modules, drivers and applications that do not provide a valid signature will not operate in the ESXi VMkernel.

Trusted Execution Technology (TXT) and Trusted Platform Module (TPM)

ESXi can use TXT/TPM -- TPM is a dependency of TXT -- to verify that the booted kernel and some of its respective loaded modules have not been unexpectedly modified through an unauthorized update or some other malicious type of change. This capability is enabled by default in ESXi and cannot be disabled. However, to take advantage of this security feature, verify that TXT/TPM is also enabled in BIOS.

While an event is logged for TXT/TPM, there is no user interface to view the TXT/TPM measurements that are made of the kernel and the respective loaded modules within the VSphere GUI. Third-party solutions can use an API call to verify that the kernel and those modules that are inspected in the implementation of TXT/TPM by VMware have not been modified.


The memory hardening, kernel module integrity and use of TXT/TPM in the VMware ESXi kernel afford significant risk mitigation in the operation of a private cloud environment. Use of these features effectively mitigates the risk of malware or unauthorized applications operating within the VMware ESXi kernel.

About the author:
Paul Henry is a senior instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure/process control supporting power generation, and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide. He is also a principal at vNet Security LLC, and serves as a retained security expert for multiple financial and healthcare firms.

Next Steps

Check out this tutorial on VMware security best practices.

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection