0
sVirt: Hardening Linux
Virtualization with Mandatory
        Access Control

            James Morris
     Red Hat Securit...
Goal:

Improve security for Linux
      virtualization
Linux Virtualization:

Where the “hypervisor” is a normal
         Linux process
KVM

Lguest

UML
Host Userspace




      Guest        Guest           Guest
    Userspace    Userspace       Userspace




      Guest    ...
Utilize existing process-based
      security mechanisms
DAC is not enough:


Subjects can modify own security
             policy
Mandatory Access Control
         (MAC):


Subjects cannot bypass security
            policy
Virtualization Threat Model

     (work in progress)
Virtualization introduces new
         security risks
Flawed hypervisor:


Malicious guest breaks out, attacks
       other guests or host
Before virtualization:


Systems were physically separated,
 damage limited to network attacks
Host Userspace                   Host Userspace




 Web Server                       DNS Server




 Host Kernel         ...
After virtualization:


Guest systems running on same
 server, possibly as same UID
Host Userspace

         Guest Userspace                    Guest Userspace



            Guest
            Web Server   ...
Malicious or compromised guests
can now attack other guests via
        local mechanisms
Hypervisor vulnerabilities:


      Not theoretical

       Evolving field

 Potentially huge payoffs
sVirt in a nutshell:


Isolate guests using MAC security
              policy

  Contain hypervisor breaches
libvirt:


Virtualization API by Daniel Veillard

  Abstraction layer for managing
      different virt schemes

     Xen,...
Simplified libvirt architecture


drivers                                       host
                                     ...
sVirt design:


Pluggable security framework for
             libvirt

Supports MAC security schemes
     (SELinux, SMACK)
sVirt design:


  Security “driver” manages MAC
 labeling of guests and resources

MAC policy enforced by host kernel
Simplified libvirt architecture w/ SVirt


drivers                                                      host
             ...
sVirt design:


Reuse of proven code and security
             models

 Coherent and complete system
            policy

 ...
sVirt design:


Must be usable and useful with
     demonstrable value
sVirt v1.0:


Provide simple isolation of guests

       Zero configuration

          Debuggable
SELinux Policy:


Guests and resources uniquely
           labeled

   virtd_isolated_t:<UUID>
SELinux Policy:


Coarse rules for all isolated guests
   applied to virtd_isolated_t
SELinux Policy:


 For simple isolation: all accesses
between different UUIDs are denied
Host Userspace

              virtd_isolated_t:1             virtd_isolated_t:2



                Guest
                W...
Future enhancements:


Different types of isolated guests

   virtd_isolated_webserver_t
Future enhancements:


   Virtual network security

Controlled flow between guests

  Distributed guest security

      Mu...
Related work:


   Labeled NFS

Labeled Networking

      XACE
Similar work:


 XSM (port of Flask to Xen)

Several proprietary schemes
Current status:



Low-level libvirt integration done

   Can launch labeled guest

  Basic label support in virsh
sVirt project page:


http://selinuxproject.org/page/SVirt
Questions...
Upcoming SlideShare
Loading in...5
×

sVirt: Hardening Linux Virtualization with Mandatory Access Control

2,389

Published on

sVirt talk given at Linux.conf.au, Hobart, 2009.

Video of the talk:
http://video.google.com.au/videoplay?docid=5750618585157629496

Published in: Technology, News & Politics
1 Comment
4 Likes
Statistics
Notes
  • Mr Morris,sVirt is not support NFS.
    what can I do, If I want sVirt support NFS?
    Thank you.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,389
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
81
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "sVirt: Hardening Linux Virtualization with Mandatory Access Control"

  1. 1. sVirt: Hardening Linux Virtualization with Mandatory Access Control James Morris Red Hat Security Engineering Linux.conf.au 2009 Hobart, Australia
  2. 2. Goal: Improve security for Linux virtualization
  3. 3. Linux Virtualization: Where the “hypervisor” is a normal Linux process
  4. 4. KVM Lguest UML
  5. 5. Host Userspace Guest Guest Guest Userspace Userspace Userspace Guest Guest Guest Kernel Kernel Kernel Host Kernel Host Hardware
  6. 6. Utilize existing process-based security mechanisms
  7. 7. DAC is not enough: Subjects can modify own security policy
  8. 8. Mandatory Access Control (MAC): Subjects cannot bypass security policy
  9. 9. Virtualization Threat Model (work in progress)
  10. 10. Virtualization introduces new security risks
  11. 11. Flawed hypervisor: Malicious guest breaks out, attacks other guests or host
  12. 12. Before virtualization: Systems were physically separated, damage limited to network attacks
  13. 13. Host Userspace Host Userspace Web Server DNS Server Host Kernel Host Kernel Host Hardware Host Hardware Attack Local Network
  14. 14. After virtualization: Guest systems running on same server, possibly as same UID
  15. 15. Host Userspace Guest Userspace Guest Userspace Guest Web Server Guest DNS Server Userspace Userspace Guest Guest local Guest Guest Kernel Kernel exploits Kernel Kernel Host Kernel Host Hardware memory, storage, etc.
  16. 16. Malicious or compromised guests can now attack other guests via local mechanisms
  17. 17. Hypervisor vulnerabilities: Not theoretical Evolving field Potentially huge payoffs
  18. 18. sVirt in a nutshell: Isolate guests using MAC security policy Contain hypervisor breaches
  19. 19. libvirt: Virtualization API by Daniel Veillard Abstraction layer for managing different virt schemes Xen, KVM, LXC, OpenVZ
  20. 20. Simplified libvirt architecture drivers host node hypervisors storage hypervisor Xen iSCSI KVM NFS guest OpenVZ logical guest LXC fs guest UML disk API storage virsh virt-manager
  21. 21. sVirt design: Pluggable security framework for libvirt Supports MAC security schemes (SELinux, SMACK)
  22. 22. sVirt design: Security “driver” manages MAC labeling of guests and resources MAC policy enforced by host kernel
  23. 23. Simplified libvirt architecture w/ SVirt drivers host node hypervisors storage security hypervisor Xen iSCSI SELinux * KVM NFS etc. guest OpenVZ logical guest LXC fs guest UML disk * API * security labels * * storage virsh virt-manager
  24. 24. sVirt design: Reuse of proven code and security models Coherent and complete system policy Reduced complexity and cost
  25. 25. sVirt design: Must be usable and useful with demonstrable value
  26. 26. sVirt v1.0: Provide simple isolation of guests Zero configuration Debuggable
  27. 27. SELinux Policy: Guests and resources uniquely labeled virtd_isolated_t:<UUID>
  28. 28. SELinux Policy: Coarse rules for all isolated guests applied to virtd_isolated_t
  29. 29. SELinux Policy: For simple isolation: all accesses between different UUIDs are denied
  30. 30. Host Userspace virtd_isolated_t:1 virtd_isolated_t:2 Guest Web Server Guest DNS Server Userspace Userspace Guest Guest Guest Guest Kernel Kernel Kernel Kernel Host Kernel SELinux Host Hardware virt_image_t:1 virt_image_t:2
  31. 31. Future enhancements: Different types of isolated guests virtd_isolated_webserver_t
  32. 32. Future enhancements: Virtual network security Controlled flow between guests Distributed guest security Multilevel security
  33. 33. Related work: Labeled NFS Labeled Networking XACE
  34. 34. Similar work: XSM (port of Flask to Xen) Several proprietary schemes
  35. 35. Current status: Low-level libvirt integration done Can launch labeled guest Basic label support in virsh
  36. 36. sVirt project page: http://selinuxproject.org/page/SVirt
  37. 37. Questions...
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×