Open Source Security
Welcome at » 2009 » December

By Bryan Jacobson, Linux Technology Center.

While Virtualization offers many benefits, there can also be increased security risks. For example, consider a system running two hundred virtual images. All two hundred images are at risk if a flaw in the hypervisor (or configuration) allows any virtual guest to “break out” into the host environment and affect other virtual guests.

sVirt is a project to improve the security of Linux virtualization. Svirt applies the Mandatory Access Control (MAC) features of SELinux to strengthen the isolation between virtual images. Svirt works with KVM/QEMU and other Linux virtualization systems where the virtual image runs as a Linux user space process.

sVirt is a community project, with founding authors from Red Hat: Daniel Berrange, James Morris, and Dan Walsh. sVirt is integrated with libvirt.

One of my favorite sVirt use cases is: “Strongly isolating desktop applications by running them in separately labeled VMs (e.g. online banking in one VM and World of Warcraft in another; opening untrusted office documents in an isolated VM for view/print only).” (From the 8/11/2008 sVirt project announcement at www.redhat.com/archives/libvir-list/2008-August/msg00255.html).

The project announcement also identifies an excellent design goal: “Initially, sVirt should “just work” as a means to isolate VMs, with minimal administrative interaction. e.g. an option is added to virt-manager which allows a VM to be designated as “isolated”, and from then on, it is automatically run in a separate security context, with policy etc. being generated and managed by libvirt.”.

You can find a 48 minute video of James Morris’s February 2009 presentation on sVirt at Linux.conf.au: video.google.com/videoplay?docid=5750618585157629496#

Slides from that presentation are at: namei.org/presentations/svirt-lca-2009.pdf

Steve Hanna has written an excellent cloud security overview article A Security Analysis of Cloud Computing which talks about how trusted computing can help solve some of the cloud security problems.

Privacy concerns for the ages, is anonymity sufficient? Facebook and Google: Contrasts in Privacy Is privacy an illusion or a social contract? Blakley’s blog post Gartner gets privacy dead wrong debates the issue. Will Facebook users go along with Facebook’s new policies and the sense that their privacy was an illusion, or will they revolt, pile on EFF’s FTC complaint and leave Facebook in droves?

This article covers a lot of ground on the impact to security of virtualization and cloud adoption. I like it right up the the abrupt ending. Virtualization Adoption Slips.

Three just for fun:

SearchEnterpriseLinux.com has a 2009 retrospective of Linux activity: A look at Linux in the recession. Somehow I missed the news about Hannah Montana Linux.

An octopus and its travel trailer: Tool Use Found in Octopuses.

There is a new specialty of female bodyguards in Egypt.

Here are seven links that are worth the time that it takes to read them if you are interested in systems security.

The Evil Maid attacks again:

Two Trusted Computing articles:

An introduction to Tin Hat Linux which is a Linux distribution based on hardened Gentoo which “was conceived as a challenge to the old mantra that physical access to a system means full access to the data”.

Everybody is talking about the botnet on AWS: Zeus botnet finds hold in Amazon cloud. From now on, I fully expect that stories about botnets controlled from within a cloud will become a footnote, rather than noteworthy and they will be served with standard takedown notices.