The National Institute of Standards and Technology (NIST) has published a draft of a new guide whose goal is to provide security recommendations on deploying hypervisors.
The NIST Special Publication 800-125-A, published this week and titled “Security Recommendations for Hypervisor Deployment,” was authored by Dr. Ramaswamy Chandramouli, a supervisory computer scientist in the Computer Security Division of the Information Technology Laboratory at NIST.
Hypervisors, also known as virtualization managers, enable organizations to run multiple virtual machines (VMs), consisting of operating system and applications, on a single physical host. Hypervisors are increasingly used in enterprise data centers for hosting in-house applications, and for providing computing resources for cloud services, NIST said.
The guide provides a set of 22 recommendations related to both hypervisor platform architecture, and hypervisor baseline functions.
From an architectural perspective, the aspects that need to be taken into consideration are the entity on which the hypervisor is installed (directly on hardware or over a full-fledged OS), source of support for functions like memory and processor virtualization (hardware or software), and if there is hardware support for boot integrity assurance.
As far as baseline functions are concerned, they consist of execution isolation for VMs, device emulation and access control, execution of privileged operations by the hypervisor for guest VMs, VM lifecycle management, and the administration of the hypervisor platform and software.
“The security recommendations with respect to hypervisor platform architectural choices merely highlight the ease of providing security assurance (due to size of at tack surface, the size of trusted computing base (TCB) and hardware – assisted virtualization functions) in one architectural type compared to another and not with an intention to endorse any particular class of products,” the draft said.
“The security recommendations with respect to baseline functions are in terms of configuration choices, that ensure the secure execution of tasks performed under any of the five hypervisor baseline functions,” it added.
NIST encourages experts to check out the draft of the paper and provide feedback. Comments can be sent to mouli@nist.gov until November 10, 2014.
At the Black Hat USA 2014 security conference, Bromium researcher Rafal Wojtczuk disclosed the details of multiple vulnerabilities affecting Oracle’s VM VirtualBox. Wojtczuk warned that while hypervisor vulnerabilities are relatively rare, they do exist and they can pose a serious risk to enterprises if they are neglected.