Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

NIST Seeks Comment on Hypervisor Security Guide

The National Institute of Standards and Technology (NIST) has published a draft of a new guide whose goal is to provide security recommendations on deploying hypervisors.

The National Institute of Standards and Technology (NIST) has published a draft of a new guide whose goal is to provide security recommendations on deploying hypervisors.

The NIST Special Publication 800-125-A, published this week and titled “Security Recommendations for Hypervisor Deployment,” was authored by Dr. Ramaswamy Chandramouli, a supervisory computer scientist in the Computer Security Division of the Information Technology Laboratory at NIST.

Hypervisors, also known as virtualization managers, enable organizations to run multiple virtual machines (VMs), consisting of operating system and applications, on a single physical host. Hypervisors are increasingly used in enterprise data centers for hosting in-house applications, and for providing computing resources for cloud services, NIST said.

The guide provides a set of 22 recommendations related to both hypervisor platform architecture, and hypervisor baseline functions.

From an architectural perspective, the aspects that need to be taken into consideration are the entity on which the hypervisor is installed (directly on hardware or over a full-fledged OS), source of support for functions like memory and processor virtualization (hardware or software), and if there is hardware support for boot integrity assurance.

As far as baseline functions are concerned, they consist of execution isolation for VMs, device emulation and access control, execution of privileged operations by the hypervisor for guest VMs, VM lifecycle management, and the administration of the hypervisor platform and software.

“The security recommendations with respect to hypervisor platform architectural choices merely highlight the ease of providing security assurance (due to size of at tack surface, the size of trusted computing base (TCB) and hardware – assisted virtualization functions) in one architectural type compared to another and not with an intention to endorse any particular class of products,” the draft said.

“The security recommendations with respect to baseline functions are in terms of configuration choices, that ensure the secure execution of tasks performed under any of the five hypervisor baseline functions,” it added.

NIST encourages experts to check out the draft of the paper and provide feedback. Comments can be sent to [email protected] until November 10, 2014.

At the Black Hat USA 2014 security conference, Bromium researcher Rafal Wojtczuk disclosed the details of multiple vulnerabilities affecting Oracle’s VM VirtualBox. Wojtczuk warned that while hypervisor vulnerabilities are relatively rare, they do exist and they can pose a serious risk to enterprises if they are neglected.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility