HomeBlogsbernhard's blog

Enhancing security in the hypervisor: SVirt

Sun, 04.10.2009 - 12:53 GMT+0100

I recenty watched Dan Walsh's presentation at Red Hat Summit on SVirt. Here' what I took away from it, including some additional thoughts and explanations from myself.

Dan is stressing the point that with current virtualization products, there is no security control between the virtual machine processes inside the hypervisor/Dom0. If you find any security vulnerability in the hypervisor, the paravirtualized drivers and probably the guest tools as well, you are able to escape from the virtual machine into the hypervisor. From there, you can access any other virtual machines without any restrictions.
 
With Red Hats SVirt, the virtual machine processes are separated using SElinux. This is perfectly sufficient, as Red Hat is using KVM as their future virtualization technology. With KVM, the hypervisor is the Linux kernel. So a Mandatory Access Control (MAC) mechanism inside the kernel is able to fully contol the VMs. With other hypervisors like Xen or VMware, you'd need a mechanism inside the privileged domain (Dom0/Service Console) and inside the actual hypervisor.
 
SVirt uses a SElinux mechanism that is not very widely used: Multi-Category Security (MCS). This allows one to create normal SElinux labels for qemu objects (i.e. what is KVM allowed to do generally), and add a random-generated MCS label to each VM/disk image(s) for restricting access from one qemu process to another VM's disk images.
 
The required SElinux labels are automatically generated by libvirt on startup of a virtual machine. Starting from Fedora 12 (and probably RHEL 6), this mechanism will be enabled by default and will not need any manual configuration (as long as you are using libvirt and not start the KVM processes manually).
 
This is a great step towards hardening the separation of VMs. SVirt provides a very strict access control to the disk images between different VMs. Dan is briefly mentioning controlling network traffic with SElinux as well, although he admits that iptables might be the better tool for this.
 
I'm curious whether Red Hat is able to convince the virtualization community about the benefits of SVirt and what the response of VMware and the Xen-based virtualization-companies (Citrix, Oracle/Sun) will be.