A Type 1 hypervisor, also known as a bare-metal hypervisor, is installed directly on the physical hardware, acting as its own minimal, specialized operating system. This design means its codebase is lean and purpose-built solely for managing virtual machines. This significantly reduces the attack surface compared to a Type 2 hypervisor, which runs as an application on top of a full-featured, general-purpose host operating system (e.g., Windows, macOS, Linux). The Type 2 hypervisor inherits all the vulnerabilities, services, and complexities of its underlying host OS, creating a much larger target for potential attacks.

A: The hypervisor manages virtual hardware, but patching the guest operating systems within the VMs is the responsibility of the VM administrator.

C: Hardware-level encryption capabilities are generally provided by the CPU and can be leveraged by both Type 1 and Type 2 hypervisors, not being an exclusive feature of Type 1.

D: A primary function of any hypervisor is to support a wide variety of guest operating systems, not restrict them to a specific type.

1. National Institute of Standards and Technology (NIST) Special Publication 800-125

Guide to Security for Full Virtualization Technologies.

Section 2.1

"Virtualization Architectures

" describes the two types of hypervisors. It states

"Type 1 hypervisors run directly on the host's hardware to control the hardware and to manage guest operating systems... Type 2 hypervisors run on a conventional operating system (OS) just as other computer programs do." This architectural difference is the basis for the security distinction.

Section 3.1

"Hypervisor Security

" discusses that the hypervisor's security is critical. A Type 1 hypervisor's smaller

specialized nature inherently presents a smaller attack surface than a Type 2 hypervisor running on a full host OS.

2. Popek

G. J.

& Goldberg

R. P. (1974). Formal requirements for virtualizable third generation architectures. Communications of the ACM

17(7)

412–421.

Section 2

"A Model of a Third Generation Machine

" This foundational paper on virtualization defines the concept of a Virtual Machine Monitor (VMM)

or hypervisor. The principles laid out explain that a VMM that controls the hardware directly (Type 1) has a more privileged and isolated position than one that operates on top of a host OS (Type 2)

which is fundamental to its security posture. DOI: https://doi.org/10.1145/361011.361073

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. 6.858 Computer Systems Security

Fall 2014.

Lecture 15 Notes

"Virtualization

" discusses the security benefits of a small Trusted Computing Base (TCB). The notes explain that Type 1 hypervisors have a much smaller TCB than Type 2 hypervisors because they do not include a full host OS. A smaller TCB is a core principle of secure system design.