Avoiding KVM configuration errors

Active Separation

A Study as a Source

The security of KVM-based virtualization can certainly be considered highly complex, which is why I have only singled out a few, albeit very central, issues. The material comes from a 2016 security analysis performed by OpenSource Security Ralf Spenneberg [8] on behalf of The German Federal Office for Information Security [9]. The company not only investigated the security of KVM itself, but also of its ecosystem, consisting of Qemu and libvirt, as well as network-based data storage with Ceph and GlusterFS. The study is due to be published soon.

Infos

  1. KVM: https://www.linux-kvm.org
  2. Qemu: http://www.qemu-project.org
  3. "Passing Host PCI Devices Through to the KVM Guest" by Oliver Rath, Hans-Peter Merkel, and Markus Feilner. Linux Pro Magazine , issue 114, May 2010, pg. 46
  4. libvirt: http://libvirt.org
  5. "KSM (Kernel Samepage Merging)" by Christoph Mitasch, https://www.thomas-krenn.com/en/wiki/KSM_(Kernel_Samepage_Merging)
  6. "Wait a minute! A fast, cross-VM attack on AES" by Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar, https://eprint.iacr.org/2014/435.pdf
  7. MacVTap: http://virt.kernelnewbies.org/MacVTap
  8. OpenSource Security Ralf Spenneberg: https://opensource-security.de (in German)
  9. The German Federal Office for Information Security: https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html @IE

The Author

Hendrik Schwartke works as an IT security analyst with OpenSource Security Ralf Spenneberg (Steinfurt, Germany) investigating Linux server systems and embedded systems for security vulnerabilities. Schwartke was a major contributor to the study "Sicherheitsanalyse von KVM (KVMSec)" [Security Analysis of KVM (KVMSec)] on behalf of The German Federal Office for Information Security.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Secure Your KVM Virtual Machines
    A common misconception posits that software cannot cause mischief if you lock the system away in a virtual machine, because even if an intruder compromises the web server on the virtual machine, it will only damage the guest. If you believe this, you are in for a heap of hurt.
  • Controlling virtual machines with VNC and Spice
    Administrators on Linux virtual machines tend to use VNC to transfer the graphical system to Virtual Machine Manager or a VNC client. One alternative is Spice: If the guest system is running the QXL driver, you can look forward to fast graphics and audio pass through.
  • Virsh Libvert Tool

    With the command-line tool virsh, a part of the libvirt library, you can query virtual machines to discover their state of health, launch or shut down virtual machines, and perform other tasks – all of which can be conveniently scripted.

  • Hardware-assisted Virtualization

    The Intel VT and AMD-V extensions bring x86 virtualization to the 21st Century. Learn why hardware-assisted virtualization is important and what to watch for the next time you buy a computer. We'll also show you how to configure virtualization on a typical Linux system.

  • Virtualization with KVM
    KVM continues to gain popularity in the world of Linux – so much so, that it has become Red Hat and Ubuntu's preferred virtualization solution. In contrast to Xen, setting up KVM involves just a couple of steps, and the guest operating systems can run without special patches.
comments powered by Disqus