Bkjia.com exclusive translation] virtualization is considered a technological revolution in the history of computer technology development. It saves cost in resource allocation, system management, power and cooling, on-demand expansion or resource reduction have shown great advantages. Although everyone is talking about virtualization, everyone is ready to use virtualization, but with the lingering shadows of virtualization-security issues-countless people are discouraged.
How is virtualization security?
What happens when attackers break through the Virtual Machine and take over all the control of the virtual machine? If the Hypervisor of the system management program has a bug, what will happen?
Before virtualization, we isolated the server. After attackers break a server, they can only control that server. At this time, attackers must take network attacks to attack other servers in the network, to control other servers. The system administrator has many tools to detect and protect network attacks, such as firewalls, network traffic analysis tools, and intrusion detection tools.
After virtualization, multiple service applications are run on the same physical host. If a virtual machine is cracked, attackers only need to destroy the system management program to destroy all services. If the system administrator program has a vulnerability, attackers can take over all virtual machines hosted on the host, or even write malicious code to the Virtual Machine images that the host can directly access.
It sounds terrible. The problem now is how to handle this situation. attackers are increasingly interested in system management program vulnerabilities, not long ago, the Xen System Management Program was cracked. -- BKJIA Wang Wenwen: VMware has encountered similar problems, but now they are using RSA Authentication Technology to mitigate virtual data center threats. If the identity authentication technology is not used, let's look at the SELinux protection method in this article.
Now let's take a look at libmongod/qemu/kvm and libmongod in Fedora 11 to start all virtual machines, and all virtual machines run in independent processes, the virtual image is saved as a file or a device similar to the logical volume and iSCSI target.
Is SELinux really useful?
SELinux marks processes, files, and devices, and defines the rules for interoperability between marked processes, files, and devices. SELinux can reduce the impact Scope Caused by system management program vulnerabilities.
If you have read the Xen vulnerability documentation, you must know how to bypass the SELinux protection mechanism in RHEL 5. Attackers know that the xen process marked as xend_t can read/write all fixed disks marked with fixed_disk_device_t, by writing a physical disk, attackers can bypass SELinux restrictions. When I wrote a policy for Xen on RHEL 5, the Administrator was initially asked to mark the Xen image device volume as xen_image_t. Xen developers thought it was too difficult for the Administrator to manage it, there may be many faults. We don't have time to make management tools to automate them. Everyone thinks that availability is more important than security in this example, and I have to agree with them.
In Fedora 11, James Morris, Daniel Berrange, and I and others added SELinux support to libvirt, forming sVirt. We added a plug-in architecture to libvirt, SELinux protection is enabled by default. Theoretically, you can use other security architectures. Libvirt dynamically marks the image file and uses the correct tag to start the virtual machine. The Administrator does not have to remember the TAG set for the image file and device. In F11, all virtual machines are marked with the svirt_t type by default, all image files are marked with the svirt_image_t type.
SELinux policies stipulate that s0000_t processes can read/write s0000_image_t files and devices.
This protection allows us to protect the host from any virtual machine. The virtual machine can only interact with correctly labeled files and devices. The cracked virtual machine cannot access my home directory, even if the virtual machine runs with the root permission.
However, this type of protection cannot prevent a virtual machine from attacking another virtual machine. We need to use the same type to mark the domain and image files. At the same time, stop VM 1 and run it as s0000_t, attack Virtual Machine 2. Virtual Machine 2 will also run as s0000_t.
Multi-Category Security, MCS) Protection
When developing RHEL 5, we added MCS support, including adding the fourth field to The SELinux context.
In RHEL 4, SELinux context has only three fields: "User: Role: Type". In RHEL 5, SELinux context fields are added to four fields: "User: Role: Type: MLS ", for example, files in the home directory may be marked as system_u: system_r: user_home_t: TopSecretRecipe, the MLS tag defines a sensitivity level s0-s15) and Data Classification c0.c1023 ), in this example, TopSecretRecipe is a human translation for fields such as s15: c0.c36. The MLS mark allows the MLS machine to not only label files based on its users, but also user_home_t in this example, you can also tag sensitive information based on the attributes of the content, such as TopSecretRecipe.
This field is only used in the MLS policy, and we try to use it in the Default policy targeted) to define only one Sensitivity Level s0), allowing the Administrator to define a category, we call it multi-classification Security MCS) to enable administrators and users to mark based on the attributes of the file content, such as system_u: object_r: database_t: patientRecord may be a database containing patient records. Unfortunately, MCS is not widely used for various reasons.
However, when developing sVirt, we realized that we could use MCS to isolate two virtual machines with the same SELinux type svirt_t, we designed libvirt to allocate a different randomly selected MCS to each virtual machine and its associated virtual image. libvirt ensures that the selected MCS field is unique, SELinux prevents virtual machines running in different MCS fields from being interoperable, thus ensuring that virtual machines do not attack each other.
For example, libvirt uses the following tags to create two virtual images:
SELinux blocks the Virtual Machine 1system_u: system_r: s1__t: s0: c0, c10) from accessing the image file system_u: object_r: s1__image_t: s0: c101, c230) of Virtual Machine 2 ), therefore, these two VMS cannot attack each other.
The flag specified by libvirt is as follows:
We also added the static tag function for sVirt. The static tag allows the Administrator to select a special tag for the VM, including the MCS/MLS field. The VM will always start with this tag, the Administrator of the Static Virtual Machine is responsible for setting the correct mark for the image file. libvirt will never modify the mark of the Static Virtual Machine context, which allows the sVirt component to run in the MLS environment, you can run multiple virtual machines at different sensitivity levels on a libvirt system.
Bkjia.com exclusive translation. For more information, see the source and author !]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
