Open Source Security
Welcome at » virtualization

by George Wilson, IBM Linux Technology Center

I was recently reading through the NIST “Draft Guide to Security for Full Virtualization Technologies” (SP 800-125 draft) []. It discusses various considerations relating to hypervisor security. One section that particularly struck me was the comparison of bare metal vs hosted hypervisors. These are also known as Type I and Type II hypervisors, respectively. The document states that choosing between them is a critical security decision. That started me wondering if it is actually true that Type I hypervisors offer superior security to Type II hypervisors. While a Type I hypervisor may have a small kernel, it relies on and trusts an entire OS instance in the resource-owning partition (Dom0 in Xen parlance) for device access. So while it might at first blush appear that a Type I hypervisor has a much smaller TCB than a Type II, the TCB is really just in a different place. Given imperfect knowledge of the implementations and similar size, complexity, and maturity, it would seem that Type I and Type II hypervisors would in general offer similar security. I can’t find any solid evidence to the contrary. I’d love to hear from someone who can clarify why the Type I vs Type II distinction is in any way a major factor in hypervisor security analysis.

By Bryan Jacobson, Linux Technology Center.

While Virtualization offers many benefits, there can also be increased security risks. For example, consider a system running two hundred virtual images. All two hundred images are at risk if a flaw in the hypervisor (or configuration) allows any virtual guest to “break out” into the host environment and affect other virtual guests.

sVirt is a project to improve the security of Linux virtualization. Svirt applies the Mandatory Access Control (MAC) features of SELinux to strengthen the isolation between virtual images. Svirt works with KVM/QEMU and other Linux virtualization systems where the virtual image runs as a Linux user space process.

sVirt is a community project, with founding authors from Red Hat: Daniel Berrange, James Morris, and Dan Walsh. sVirt is integrated with libvirt.

One of my favorite sVirt use cases is: “Strongly isolating desktop applications by running them in separately labeled VMs (e.g. online banking in one VM and World of Warcraft in another; opening untrusted office documents in an isolated VM for view/print only).” (From the 8/11/2008 sVirt project announcement at

The project announcement also identifies an excellent design goal: “Initially, sVirt should “just work” as a means to isolate VMs, with minimal administrative interaction. e.g. an option is added to virt-manager which allows a VM to be designated as “isolated”, and from then on, it is automatically run in a separate security context, with policy etc. being generated and managed by libvirt.”.

You can find a 48 minute video of James Morris’s February 2009 presentation on sVirt at

Slides from that presentation are at:

By Bryan Jacobson, Linux Technology Center.

Tyler Hicks (from our team) recently attended the 5/25-29 Ubuntu Developers Summit for Karmic Koala in Barcelona, Spain.

Some of Tyler’s observations on Security topics:

  • There are quite a few eCryptfs users out there and they are generally happy with the version shipped in Jaunty. Most were using the encrypted home feature, but some wanted more flexibility and had custom setups.
  • eCryptfs encrypted swap is on the roadmap for Karmic.
  • Michael Rooney has been working on graphical applications to compliment some of the eCryptfs userspace tools that are currently bound to the command line.
  • Tyler held an eCryptfs roadmap talk about future eCryptfs features: eCryptfs on top of popular network filesystems, improved key management, and asking for someone interested in completing the eCryptfs GPG key module.

Some general observations from Tyler:

  • Ubuntu would like to be the premier guest available in Amazon EC2.
  • Ubuntu users will soon have a daily build of the virtualization stack available, which is a big win for both the upstream developers and the users.
  • Dustin Kirkland gave a talk on leveraging the cloud for data center power savings.
  • The Ubuntu kernel team committed to removing non-upstream kernel code that no one is using anymore.

See the whole story on Tyler blog at:

Joe Herrick has written a very interesting article about security in a virtualized environment: Virtualization security heats up in which he states that 43% of the readers of iTnews have completely disregarded the issue. This article reviews current thoughts about virtualization security and puts virtualization security best practices into print: “Defense in depth and proper virtual machine layout and design, including not mixing VMs with different security postures and requirements on the same host system, are crucial.” (A more detailed list is included later in the article.) This article also carries the meme that open source is more secure: “The million-dollar question here: Is it safer to rely on the open source community to vet and test Xen, or are VMware and other vendors of proprietary hypervisors the best path to secure hosts?” An interesting bit of news that I somehow completely missed: “XenEnterprise has endured the pokes and prods of the open source community, earning a Common Criteria Level 5 rating.” Wow! Congratulations to them! Buried in the middle of the article is how Trusted Computing can help secure this environment. It was nice to see the topic discussed without all of the usual political rhetoric and just the technical features analyzed for their enterprise applicability. Very interesting and educational article. Thanks!

UPDATE: I can’t find any independent verification that XenSource completed an evaluation at EAL5 unfortunately.