Microsoft is working on a more secure architecture for Hyper-V

Like any other virtualization vendor, of course Microsoft is actively researching to develop more efficient and secure architectures for its hypervisor.

While most of this work remains undisclosed in the Research labs, a few things are being shown in public events.
It’s the case of Bunker-V, the codename for a new architectural approach that Microsoft is evaluating to reduce the Hyper-V trusted computing base (TCB), which today includes the virtual machine monitor (VMM) and the parent partition, equal to over 50 million of lines of code.

The research appeared in a speech titled Improving the Security of Commodity Hypervisors for Cloud Computing presented this year at the Seventh Annual Microsoft Research Networking Summit.

The slide deck describes Microsoft is redesigning its hypervisor to be faster and with a smaller TBC for cloud computing scenarios.

The Bunker-V approach implies the removal of unnecessary virtual devices for guest OSes in the cloud (like floppy, keyboard, mouse, monitor or serial ports) and the removal of legacy virtual devices (like the keyboard controller or the ISA bus).

Unfortunately this last category of interfaces is required to boot the guests so Microsoft is suggesting a new approach for booting called delusional boot that boots the OS on a separate note, isolated from the production data center.

Microsoft says that this approach can reduce the TCB by 79% while retaining high performance for legacy OSes.