Compute and hypervisor security

Compute and hypervisor securityΒΆ

In this context we see two types of threats:

  • hypervisor threats
  • multi-project threats

Malicious application can escape the VM through exploitation of a vulnerability or a direct access to hardware or hypervisor OS and compromise other VMs running on a physical node which may belong to another projects (EoP).

The hypervisor security should be a prime concern because a single fault on the hypervisor level may compromise the whole environment.

For example, having access to the hypervisor an attacker can look into VM images by simply mounting a virtual disk (information disclosure). Even more, mounting a filesystem as read only can help to avoid tampering. An attacker becomes untraceable because peeking files this way does not update file access time (repudiation).

To mitigate EoP on a hypervisor:

  • Use the hypervisor certified against FIPS 140-2 and take Common Criteria Certification requirements into consideration.
  • Limit access to hypervisor OS (a full OS or kernel the hypervisor runs on), the VM manager, and all interfaces used to manage VMs.
  • Do not use hypervisor memory optimization such as Copy-on-Write (COW) mechanisms shown to be vulnerable to side-channel attacks when used in multi-project environment.
  • Disable PCI passthrough for your hypervisor, which means that an VM instance should not have a direct access to hardware such as memory (DMA) or video cards (GPUs).
  • Harden virtual hardware (QEMU for KVM) by:
    • Minimizing the code base by removing unused components from a QEMU configuration.
    • Building QEMU with compiler hardening enabled, which may include: stack protection, data execution prevention, Address Space Layout Randomization (ASLR) by enabling Position Independent Executable (PIE)
    • Using mandatory access controls such as sVirt, SELinux, AppArmor, or grsecurity to put QEMU process into a separate security context.
  • A hypervisor must host only VMs of the same security level that can be classified based on their role, function, or access to sensitive data. Use Host Aggregates and Availability Zones to group Compute nodes for running VMs of the same security level.

To mitigate EoP on for a Compute service:

  • Limit an access by providing strict access permissions to the nova.conf file and /var/lib/nova folder.
  • Use file integrity monitoring (FIM) tools such as iNotify or Samhain to trace unexpected files modifications.
  • Use rootwrap to execute Compute commands as the root user.
  • Use trusted compute pools.
  • Implement centralized logging to mitigate a risk of a repudiation attack.
  • Enable mandatory access control (MAC) with SELinux, AppArmor, or grsecurity.
  • Enable encryption for Compute metadata traffic.