NIST Publishes Draft Hypervisor Security Guide

NIST this week published a draft document SP800-125a that makes recommendations for hypervisor security in virtualized environments based on architectural platform choices and configuration options.

NIST has followed up a three-year-old virtualization security guide with recommendations for hypervisor security. A draft version of SP800-125a was released this week and a public comment period opened on Monday and ends Nov. 10.

The guide targets enterprise security and IT management as well data center managers at hosting providers, those tasked with securing business data as it moves to cloud computing environments. The draft document covers 22 security recommendations for hypervisor deployments as well as related virtualization components built on the hypervisor.

The hypervisor is software that provides and abstraction layer for physical resources on a host computer that enables multiple virtual machines to be run on one host. It provides five key functions, according to the NIST draft: isolation of virtual machines; device emulation and access control; execution of privileged operations for guest virtual machines; virtual machine management; and setting of parameters for interaction with the hypervisor.

The draft is organized in order to give chief information security officers and chief technology officers options when choosing hypervisor platforms and the sundry configuration options at their disposal.

“Two different approaches have been adopted in this document– one approach based on architectural options that provide ease of security assurance and the second approach based on configuration choices that form part of its core administrative functions such as management of VMs, hypervisor host, hypervisor software and virtual networks,” wrote Ramaswamy Chandramouli, a George Mason University professor and NIST director.

The document also describes a number of threats prominent to the hypervisor and explains some common errors that lead to their exposure. Virtual machine escapes, for example, where a rogue virtual machine gains access to host resources such as memory and storage, can result from a hypervisor configuration error. An attacker exploiting such a situation could drop a rootkit on the host and own the hypervisor, or attack another virtual machine on the same host, the document said.

Another threat, specific to hosted environments is VLAN hopping where a rogue virtual machine breaks isolation provided by virtualization and can snoop on virtual network traffic intended for VMs on the same segment, NIST said. Other attacks on the hypervisor include resource starvation leading to denial of service attacks, or a hypervisor providing privileged access to a virtual security tool that could in turn be exploited.

The 22 security recommendations in the draft are mapped to each of the five primary hypervisor functions, and run the gamut from suggestions for reducing a hypervisor’s attack surface to determining which drivers are allowed to run emulation code, memory rules, monitoring recommendations, access control and permissions, patch and vulnerability management, and logging of security events among others.

“From the list of security recommendations in this document, it should be clear that many of the security recommendations have been necessitated by the unique functions that the hypervisor performs as well as the supporting features of the underlying hardware platform,” the draft said.

Suggested articles