sVirt: Hardening Linux Virtualization with Mandatory Access Control
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

sVirt: Hardening Linux Virtualization with Mandatory Access Control

  • 3,393 views
Uploaded on

sVirt talk given at Linux.conf.au, Hobart, 2009. ...

sVirt talk given at Linux.conf.au, Hobart, 2009.

Video of the talk:
http://video.google.com.au/videoplay?docid=5750618585157629496

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Mr Morris,sVirt is not support NFS.
    what can I do, If I want sVirt support NFS?
    Thank you.
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,393
On Slideshare
3,377
From Embeds
16
Number of Embeds
3

Actions

Shares
Downloads
78
Comments
1
Likes
3

Embeds 16

http://www.slideshare.net 12
http://www.slideee.com 3
http://www.docshut.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. sVirt: Hardening Linux Virtualization with Mandatory Access Control James Morris Red Hat Security Engineering Linux.conf.au 2009 Hobart, Australia
  • 2. Goal: Improve security for Linux virtualization
  • 3. Linux Virtualization: Where the “hypervisor” is a normal Linux process
  • 4. KVM Lguest UML
  • 5. Host Userspace Guest Guest Guest Userspace Userspace Userspace Guest Guest Guest Kernel Kernel Kernel Host Kernel Host Hardware
  • 6. Utilize existing process-based security mechanisms
  • 7. DAC is not enough: Subjects can modify own security policy
  • 8. Mandatory Access Control (MAC): Subjects cannot bypass security policy
  • 9. Virtualization Threat Model (work in progress)
  • 10. Virtualization introduces new security risks
  • 11. Flawed hypervisor: Malicious guest breaks out, attacks other guests or host
  • 12. Before virtualization: Systems were physically separated, damage limited to network attacks
  • 13. Host Userspace Host Userspace Web Server DNS Server Host Kernel Host Kernel Host Hardware Host Hardware Attack Local Network
  • 14. After virtualization: Guest systems running on same server, possibly as same UID
  • 15. Host Userspace Guest Userspace Guest Userspace Guest Web Server Guest DNS Server Userspace Userspace Guest Guest local Guest Guest Kernel Kernel exploits Kernel Kernel Host Kernel Host Hardware memory, storage, etc.
  • 16. Malicious or compromised guests can now attack other guests via local mechanisms
  • 17. Hypervisor vulnerabilities: Not theoretical Evolving field Potentially huge payoffs
  • 18. sVirt in a nutshell: Isolate guests using MAC security policy Contain hypervisor breaches
  • 19. libvirt: Virtualization API by Daniel Veillard Abstraction layer for managing different virt schemes Xen, KVM, LXC, OpenVZ
  • 20. Simplified libvirt architecture drivers host node hypervisors storage hypervisor Xen iSCSI KVM NFS guest OpenVZ logical guest LXC fs guest UML disk API storage virsh virt-manager
  • 21. sVirt design: Pluggable security framework for libvirt Supports MAC security schemes (SELinux, SMACK)
  • 22. sVirt design: Security “driver” manages MAC labeling of guests and resources MAC policy enforced by host kernel
  • 23. Simplified libvirt architecture w/ SVirt drivers host node hypervisors storage security hypervisor Xen iSCSI SELinux * KVM NFS etc. guest OpenVZ logical guest LXC fs guest UML disk * API * security labels * * storage virsh virt-manager
  • 24. sVirt design: Reuse of proven code and security models Coherent and complete system policy Reduced complexity and cost
  • 25. sVirt design: Must be usable and useful with demonstrable value
  • 26. sVirt v1.0: Provide simple isolation of guests Zero configuration Debuggable
  • 27. SELinux Policy: Guests and resources uniquely labeled virtd_isolated_t:<UUID>
  • 28. SELinux Policy: Coarse rules for all isolated guests applied to virtd_isolated_t
  • 29. SELinux Policy: For simple isolation: all accesses between different UUIDs are denied
  • 30. Host Userspace virtd_isolated_t:1 virtd_isolated_t:2 Guest Web Server Guest DNS Server Userspace Userspace Guest Guest Guest Guest Kernel Kernel Kernel Kernel Host Kernel SELinux Host Hardware virt_image_t:1 virt_image_t:2
  • 31. Future enhancements: Different types of isolated guests virtd_isolated_webserver_t
  • 32. Future enhancements: Virtual network security Controlled flow between guests Distributed guest security Multilevel security
  • 33. Related work: Labeled NFS Labeled Networking XACE
  • 34. Similar work: XSM (port of Flask to Xen) Several proprietary schemes
  • 35. Current status: Low-level libvirt integration done Can launch labeled guest Basic label support in virsh
  • 36. sVirt project page: http://selinuxproject.org/page/SVirt
  • 37. Questions...