twobee - Fotolia
The National Institute of Standards and Technology has a variety of important recommendations for virtualization administrators to securely operate hypervisors. The NIST security guidelines, and the especially relevant NIST virtualization instructions, show how organizations can improve their security.
In June 2018, the National Institute of Standards and Technology (NIST) released "Special Publication 800-125A Revision 1: Security Recommendations for Server-based Hypervisor Platforms." Revision 1 is similar to the original version, but it now includes NIST security recommendations for device virtualization technologies, such as paravirtualization, pass-through and self-virtualizing hardware.
NIST defines a hypervisor platform as a combination of the hypervisor software that virtualizes CPU and memory resources with the software modules necessary to virtualize other components, such as storage and networking, and to manage the platform and its VMs.
The main goal of following these NIST virtualization recommendations is to ensure the secure execution of the platform's baseline functions. These recommendations primarily target cloud service providers that offer infrastructure as a service and enterprise IT teams planning to implement virtual infrastructures to host line-of-business applications.
According to NIST, hypervisor platforms are susceptible to security threats via three primary channels: the enterprise network where the hypervisor host resides, rogue or compromised VMs accessing virtualized resources, and web interfaces for the platform's management services and consoles.
NIST breaks down the hypervisor platform into the following five baseline functions: VM process isolation (HY-BF1), device mediation and access control (HY-BF2), direct command execution from guest VMs (HY-BF3), VM lifecycle management (HY-BF4), and hypervisor platform management (HY-BF5).
The regulations define how each function works, identify the types of threats specific to those functions and provide recommendations for how to address those threats.
NIST security recommendations for VM process isolation (HY-BF1)
The HY-BF1 baseline function provides VM execution scheduling, manages application processes running in the VMs -- such as CPU and memory -- and handles context switching between processor states when running VM applications.
The primary threat to the modules that carry out this function is a breach of process isolation, which can be caused by vulnerabilities in the hypervisor design. For example, a faulty implementation of the VM control structure can result in hypervisor memory leaks, or a faulty implementation of a software-based memory management unit (MMU) can lead to address space data disclosure.
Admins must address vulnerabilities in hypervisor design using proper coding and testing before they deploy the hypervisor. To this end, NIST security guidelines provide several recommendations to address these vulnerabilities.
For example, the hypervisor should use the host's hardware where possible to provide better isolation and VM-level protection. The hypervisor should also include configuration options to control physical RAM for the VMs and to provision virtualized resources. In addition, the hypervisor should enable the specification of CPU clock cycle limits for each VM.
Device mediation and access control (HY-BF2)
The HY-BF2 baseline function uses device virtualization technologies to make devices available to VMs, which includes paravirtualization, emulation, pass-through and self-virtualizing hardware. The modules that carry out this function run in the hypervisor kernel or within dedicated VMs.
Virtualized devices that support direct memory access can pose a particular security risk to these modules. Because the VM controls the device, it's possible to program it to carry out operations that target physical memory.
With the publication of Revision 1, HY-BF2 added details about security issues specific to paravirtualization, pass-through and self-virtualizing hardware.
With paravirtualization, the hypervisor provides VMs with an interface to artificial devices, which simplifies I/O driver requirements. The pass-through approach provides a VM with exclusive access to a device, which is usually required for Peripheral Component Interconnect devices. A self-virtualizing hardware device provides an interface with virtual functions that correspond to physical functions, which enables multiple VMs to share devices.
To address security risks to HY-BF2 modules, NIST virtualization guidelines recommend that admins restrict access to VM processes and set network and I/O resource limits. NIST also provides specific recommendations for each type of device virtualization technology. For example, if admins use pass-through or self-virtualizing hardware, the hypervisor platform should provide I/O MMU support to validate and translate memory access.
Direct command execution from guest VMs (HY-BF3)
The HY-BF3 baseline function refers to the VM OS commands that the hypervisor executes instead of commands triggered by interruptions or context switching. These commands, or hypercalls, require a special interface in the hypervisor. The HY-BF3 function is specific to hypervisors that implement paravirtualization rather than full virtualization.
Hypercalls can present a security risk if admins don't properly validate certain operations, such as enabling a full dump of a VM's control block without verifying the operational scope, which can cause the hypervisor to crash. As with the HY-BF1 function, admins must address HY-BF3 risks during development and testing before they deploy the hypervisor platform.
Although NIST security recommendations include details about the HY-BF3 baseline function, the information doesn't provide specific recommendations for how to handle hypercalls in a paravirtualized hypervisor.
VM lifecycle management (HY-BF4)
The HY-BF4 baseline function addresses the creation and management of VM images and controls VM states such as Start or Stop. This function also addresses other management operations, such as VM monitoring and migration, policy enforcement, and snapshot creation. Essentially, this function includes all VM administration throughout its lifecycle. Potential threats to the function's modules come primarily from nonstandard VM images in the library or from running VMs based on those images.
NIST security recommendations for protection against these threats include defining a gold standard for images and ensuring that all the images and their VMs conform to that standard. In addition, organizations should require digital signatures for every image, with granular access control enforced at the image and VM levels. Organizations should also monitor systems, log activity and implement antimalware services.
Hypervisor platform management (HY-BF5)
The HY-BF5 baseline function addresses the overall administration of the hypervisor host and software. This function usually provides consoles or web interfaces with various configuration parameters in the function's modules. A software layer running within privileged VMs usually supports administration better than administration built directly into the hypervisor.
Threats to these modules are similar to those in any system that relies on remote administration to carry out management tasks. For this reason, NIST security recommendations don't include guidelines that are more generic in nature, such as controlling administrative accounts, using secure communication protocols or employing robust path management.
The NIST virtualization guidelines do recommend the centralization of all administration using an enterprise virtualization management system. In addition, organizations should use a dedicated physical network interface card for all hypervisor host and software administration functions.
Incorporate NIST security recommendations
NIST also provides general security recommendations that apply to the hypervisor platform as a whole to help ensure a protected, integrated environment. Admins implementing server virtualization should understand the full implications of all the NIST virtualization recommendations and how they apply to their organizations. If they're reviewing specific virtualization products, they can reference the NIST National Vulnerability Database, where they can search for a specific product and version to view a list of known security issues.
Admins should also keep in mind that these NIST virtualization recommendations don't cover all aspects of server virtualization. For example, the recommendations don't cover routine administration of the host or guest OSes; security of the OS, applications or services running in the VMs; or user account management, authentication and access control for the hypervisor host. Instead, the recommendations focus on security specific to the hypervisor platform.