This bulletin outlines the security recommendations that NIST recently provided in Special Publication (SP) 800-125A – security recommendations for Hypervisor Deployment on Servers. The document provides technical guidelines about the secure execution of baseline functions of the hypervisor, regardless of the hypervisor architecture. In the past, a user wishing to set up a computing server generally needed to use a dedicated host with dedicated resources such as a central processing unit (CPU), memory, network and storage. Modern systems have technology that lets one create virtual machines to emulate what used to be physical, dedicated resources. This practice is known as virtualization and supports more scalable and dynamic environments. A critical component of this technology is the hypervisor, the collection of software modules that enables this virtualization and thus enables multiple computing stacks – each made of an operating system (OS) and application programs – to be run on a single physical host. Such a physical host is called a Virtualized Host and is also referred to as a Hypervisor Host. The individual computing stacks are encapsulated in an artifact called a Virtual Machine (VM). To make a VM an independent executable entity, its definition should include resources such as CPU and memory, allocated to it. The VMs are also called ‘Guests,’ and the OS running inside each of them is called ‘Guest OS.’ The resources associated with a VM are virtual resources, as opposed to physical resources associated with a physical host. The hypervisor forms part of the virtualization layer in a virtualized host and plays many of the same roles that a conventional OS does on a non-virtualized host, or server. Just as a conventional OS provides isolation between the various applications, or processes, running on a server, the hypervisor provides isolation between one or more VMs running on it. Also, like an OS, the hypervisor mediates access to physical resources across multiple VMs. Therefore, all other functions needed to support virtualization – such as emulation of network and storage devices and the management of VMs and the hypervisor itself – can be accomplished using kernel-loadable modules, although some hypervisor architectures accomplish these tasks using dedicated VMs. The hypervisor can be installed either directly on the hardware, or bare metal (Type 1 Hypervisor), or on top of a fullfledged conventional OS, called Host OS (Type 2 Hypervisor). Here, we discuss the baseline functions of a hypervisor, how these functions are distributed in a hypervisor, and how this information is used to develop security recommendations that provide assurance against potential threats to the secure execution of tasks involved in the hypervisor’s baseline functions. Hypervisor baseline functions It might appear that all activities related to the secure management of a hypervisor and its hardware host – collectively called the hypervisor platform – should simply consist of established best practices for any server class software and its hosting environment. However, closer examination reveals that the unique functions provided by the Hypervisor Platform require a dedicated set of security considerations. These functions are called hypervisor baseline functions (HY-BF) and are labeled HY-BF1, HY-BF2, HY-BF3, HYBF4, and HY-BF5. They are described below: HY-BF1: VM process isolation Scheduling of VMs for execution, management of the application processes running in VMs (e.g., CPU and memory management), and context switching between various processor states during the running of applications in VMs; HY-BF2: Devices mediation & access control Mediates access to all devices (e.g., network interface card [NIC], storage device such as IDE drive etc). One mediation approach is to emulate network and storage (block) devices that are expected by different native drivers in VMs by using emulation programs that run in the hypervisor kernel; HY-BF3: Direct execution of commands from guest VMs Certain commands from Guest OSs are executed directly by the hypervisor instead of being triggered through in terrupts and context switching. This function applies to hypervisors that have implemented para-virtualization instead of full virtualization; HY-BF4: VM lifecycle management This baseline function involves all functions from creation and management of VM images, control of VM states (start, pause, stop etc), VM migration, VM monitoring, and policy enforcement; and HY-BF5: Management of Hypervisor This baseline function involves defining some artefacts and setting values for various configuration parameters in hypervisor software modules including those for configuration of a Virtual Network inside the hypervisor. NIST SP 800-125A provides detailed security guidance based on an analysis of threats to the integrity of all the above functions. The only exceptions are the set of guidelines for configuration of virtual network (subset of HYBF5), which are covered in a separate document (NIST SP 800-125B). The above functions are carried out by different hypervisor components, or software modules. There are some minor differences among hypervisor products in the way that they distribute these functions. The mapping of these functions to hypervisor components and the location of these components within a hypervisor architecture are described in the table below: Approach for developing security recommendations Developing security recommendations for the deployment and use of a complex software such as the hypervisor requires knowledge of potential threats which, when exploited, would affect the three basic security properties – confidentiality, integrity, and availability – of hypervisor functions. The approach adopted for developing security recommendations for the deployment of hypervisors in NIST SP 800125A is as follows: Ensure the integrity of all components of the hypervisor platform, starting from the host BIOS to all software modules of the hypervisor. This action is accomplished through a secure boot process, outlined as recommendation HY-SR1; Identify the threat sources in a typical hypervisor platform. The nature of threats from rogue or compromised VMs is briefly discussed in SP 800-125A; and For each of the five baseline functions HY-BF1 through HY-BF5 (except for HY-BF3, the direct execution of certain commands from guest VMs by the hypervisor), identify the different tasks under each function, and for each of the tasks, identify the potential threats to the secure execution of the task. The countermeasures that will provide assurance against exploitation of these threats…
