Avoiding KVM configuration errors

Active Separation

A Study as a Source

The security of KVM-based virtualization can certainly be considered highly complex, which is why I have only singled out a few, albeit very central, issues. The material comes from a 2016 security analysis performed by OpenSource Security Ralf Spenneberg [8] on behalf of The German Federal Office for Information Security [9]. The company not only investigated the security of KVM itself, but also of its ecosystem, consisting of Qemu and libvirt, as well as network-based data storage with Ceph and GlusterFS. The study is due to be published soon.

Infos

  1. KVM: https://www.linux-kvm.org
  2. Qemu: http://www.qemu-project.org
  3. "Passing Host PCI Devices Through to the KVM Guest" by Oliver Rath, Hans-Peter Merkel, and Markus Feilner. Linux Pro Magazine , issue 114, May 2010, pg. 46
  4. libvirt: http://libvirt.org
  5. "KSM (Kernel Samepage Merging)" by Christoph Mitasch, https://www.thomas-krenn.com/en/wiki/KSM_(Kernel_Samepage_Merging)
  6. "Wait a minute! A fast, cross-VM attack on AES" by Gorka Irazoqui, Mehmet Sinan Inci, Thomas Eisenbarth, and Berk Sunar, https://eprint.iacr.org/2014/435.pdf
  7. MacVTap: http://virt.kernelnewbies.org/MacVTap
  8. OpenSource Security Ralf Spenneberg: https://opensource-security.de (in German)
  9. The German Federal Office for Information Security: https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html @IE

The Author

Hendrik Schwartke works as an IT security analyst with OpenSource Security Ralf Spenneberg (Steinfurt, Germany) investigating Linux server systems and embedded systems for security vulnerabilities. Schwartke was a major contributor to the study "Sicherheitsanalyse von KVM (KVMSec)" [Security Analysis of KVM (KVMSec)] on behalf of The German Federal Office for Information Security.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Secure Your KVM Virtual Machines
    A common misconception posits that software cannot cause mischief if you lock the system away in a virtual machine, because even if an intruder compromises the web server on the virtual machine, it will only damage the guest. If you believe this, you are in for a heap of hurt.
  • Controlling virtual machines with VNC and Spice
    Administrators on Linux virtual machines tend to use VNC to transfer the graphical system to Virtual Machine Manager or a VNC client. One alternative is Spice: If the guest system is running the QXL driver, you can look forward to fast graphics and audio pass through.
  • Virsh Libvert Tool

    With the command-line tool virsh, a part of the libvirt library, you can query virtual machines to discover their state of health, launch or shut down virtual machines, and perform other tasks – all of which can be conveniently scripted.

  • Hardware-assisted Virtualization

    The Intel VT and AMD-V extensions bring x86 virtualization to the 21st Century. Learn why hardware-assisted virtualization is important and what to watch for the next time you buy a computer. We'll also show you how to configure virtualization on a typical Linux system.

  • Virtualization with KVM
    KVM continues to gain popularity in the world of Linux – so much so, that it has become Red Hat and Ubuntu's preferred virtualization solution. In contrast to Xen, setting up KVM involves just a couple of steps, and the guest operating systems can run without special patches.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=