Post on 02-Jun-2020
08/24/09
Secure Virtualization Using SELinux
Daniel J Walshdwalsh@redhat.com
Red Hat Summit 2009 | Daniel J Walsh2
Virtualization Dream
SANSAN
KVM
Individual Servers/Desktops
Consolidated Servers/Desktops
Consolidated StorageIndividual Storage
Red Hat Summit 2009 | Daniel J Walsh3
Host Kernel
User Space
Web App
host Kernel
User Space
DNS Server
Before Virtualization
Red Hat Summit 2009 | Daniel J Walsh4
After Virtualization
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User Space
Web App
Guest Kernel
User Space
DNS Server
Red Hat Summit 2009 | Daniel J Walsh5
What could go wrong???
What could go wrong?
What could possibly go wrong?
Red Hat Summit 2009 | Daniel J Walsh6
Hypervisor vulnerabilities
● Not theoretical● Evolving field● Potentially huge payoffs● Xen already compromised...
Red Hat Summit 2009 | Daniel J Walsh7
XEN Vulnerabilityhttp://www.hacker-soft.net/Soft/Soft_13289.htm
The Challenges posed by SELinux are taken into consideration.
Red Hat Summit 2009 | Daniel J Walsh8
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User Space
Web App
Guest Kernel
User Space
DNS Server
Local Exploits
Red Hat Summit 2009 | Daniel J Walsh9
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User Space
Web App
Guest Kernel
User Space
DNS Server
Guest Kernel
User Space
DNS Server
Guest Kernel
User Space
DNS Server
Who is the weakest link?
Red Hat Summit 2009 | Daniel J Walsh10
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Red Hat Summit 2009 | Daniel J Walsh11
Hansel and Gretl?
Red Hat Summit 2009 | Daniel J Walsh12
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Red Hat Summit 2009 | Daniel J Walsh13
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User SpaceWeb
App
Guest Kernel
User SpaceDNS
Server
CokeSecret
Formula
Red Hat Summit 2009 | Daniel J Walsh14
Enter SELinux..
SELinux is all about labeling● Processes get labels
● Virtual machines are processes!!!
● Files/Devices Get Labels● Virtual images are stored on files/devices!!!!
● Rules govern how Process Labels Interact with Process/File Labels.
● Kernel Enforces these Rules.
Red Hat Summit 2009 | Daniel J Walsh15
Svirt in a Nutshell
Isolate guests using Mandatory Access Control security policy
Contain Hypervisor Breaches
Red Hat Summit 2009 | Daniel J Walsh16
Libvirt – Dynamic Labeling
● Generates a Random unused MCS label.
● MCS – Multiple Category Security● Labels the image file/device - svirt_image_t:MCS1
● Launches the image - svirt_t:MCS1
● Labels R/O Content – virt_content_t:s0
● Labels Shared R/W Content – svirt_t:s0
● Labels image on completion - virt_image_t:s0
Red Hat Summit 2009 | Daniel J Walsh17
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User Space
Web App
Guest Kernel
User Space
DNS Server
svirt_t:MCS1svirt_t:MCS2
SELinux
svirt_image_t:MCS1 svirt_image_t:MCS2
Red Hat Summit 2009 | Daniel J Walsh18
Libvirt – Static Label - MLS
Multi-Level Security
● Administrator must specify image label svirt_t:TopSecret
● Launches the image - svirt_t:TopSecret
● Libvirt will NOT label any content. Administrator responsible for labeling content.
Red Hat Summit 2009 | Daniel J Walsh19
Virt Manager
Red Hat Summit 2009 | Daniel J Walsh20
Host Hardwarememory/storage, etc.
Host Kernel
Guest Kernel
User Space
Web App
Guest Kernel
User Space
DNS Server
svirt_t:TopSecret
svirt_t:Unclassified
SELinux
svirt_image_t:TopSecret svirt_image_t:Unclassified
Red Hat Summit 2009 | Daniel J Walsh21
DEMO
Red Hat Summit 2009 | Daniel J Walsh22
Future Enhancements
● Different Types for confined guest● svirt_web_t – type
● only allow a guest virtual machine to listen on web ports
● Confine a Windows 2003 box to only run as a ISS server
● If corrupted it could not become a Spam Bot.
Red Hat Summit 2009 | Daniel J Walsh23
sVirt Project Page
● http://selinuxproject.org/page/SVirt