At the Hack in the Box security conference in Amsterdam, ERNW security researchers Enno Rey, Felix Wilhelm, and Matthias Luft presented Compromise-as-a-Service: Our PleAZURE (pdf).\n\nThe group says they chose to research Hyper-V because there has been \u201cvery little research so far,\u201d resulting in only four DoS vulnerabilities in six years. Besides being used in a variety of corporate environments,\u00a0Hyper-V\u00a0\u2013 aka Windows Server Virtualization \u2013 \u201cis also used in a variety of other platforms such as Microsoft\u00a0Azure\u00a0or the Xbox One gaming console.\u201d\n\nIn a newly released technical paper (pdf) on Hyper-V security, ERNW researchers wrote, \u201cafter almost six years on the market, only a handful of Denial-of-Service vulnerabilities were patched. Even though Microsoft\u2019s SDL has an impressive track record of producing secure software, this seems like an unrealistic low amount of vulnerabilities for such complex software.\u201d\n\nThe researchers also gave the talk at the Troopers 2014 security conference. \n\nIs Azure Hypervisor the same thing as Hyper-V? ERNW\u2019s report states:\n\nOfficially, the Microsoft Azure cloud runs on a hypervisor called the \u201cAzure hypervisor,\u201d which is not the same as Hyper-V. However, even a cursory look at an Azure VM shows that the both hypervisors are at least strongly related. Figure 4 shows a screenshot of an Azure VM with the standard Hyper-V VSC services running and the CPUID instruction executed in an Azure VM.\n\nSharing a code base between Hyper-V and Azure makes sense from an engineering standpoint. For security researchers or malicious attackers targeting Azure, it has the big advantage of allowing offline analysis of the hypervisor. By concentrating on the Hyper-V attack surface that is also relevant for Azure, the chance to discover vulnerabilities with a serious impact on the Azure cloud is quite high.\n\nAlthough the researchers found a Hyper-V blue screen bug and reported it as a denial-of-service (DoS) flaw, Microsoft patched MS13-092 in November 2013 as an elevation of privilege (EoP) vulnerability. The researchers were then curious on how to turn a DoS to an escalation of privilege flaw. Additional research concluded that an attacker could only influence two values, PTE and the input GPA.\u00a0 The researchers will continue to analyze Microsoft\u2019s patch and resulting behavior; they called upon other researchers to do the same.\n\nA big portion of the Hyper-V paper explains the architecture and maps the attack surface for VM breakout attacks, but they discovered \u201ca critical vulnerability in the handling of hypercalls.\u201d They called analyzing different Hyper-V versions for silently patched vulnerabilities a \u201cpromising activity.\u201d\n\nIn conclusion, the ERNW researchers wrote:\n\nOur research shows that hypervisors are large and complex software with a significant attack surface. Even if the term \u201cVirtual Air Gap\u201d is quite popular nowadays, our research shows that this gap is much smaller than a physical one. While Hyper-V is solid software and was developed with security in mind, it still suffers from critical security vulnerabilities. This is supposed to motivate other researchers as well to use our results and step in on analyzing the huge attack surface of Hyper-V, following the old hacker spirit Make the Theoretical Practical!\n\nThe researchers put it another way at Hack in the Box and were then quoted by hacker and security consultant Xavier Mertens on his rootshell blog:\n\n"Any hypervisor is not a new security layer; it\u2019s a new place to find bugs."