Last year I submitted my Master’s thesis titled “Secure Operation of Existing Applications in the Corporate Environment with Open Source Tools”, and successfully earned my degree in IT from Bremen University of Applied Sciences. My research focused in particular on the differences and the security-related advantages/disadvantages of server virtualization compared with operating system virtualization, which had undergone much less intense testing at the time.
As I can imagine that this is a topic which will also be of interest to some of you too, I decided to summarize the most important findings of my work here:
Starting situation: Operation of third-party applications
The topic was developed independently of and in parallel to the “Safer Apps” research project with the German Research Center for Artificial Intelligence (DFKI). The aim of the research project, which will continue running until 2017, is to present the requisite rights of third-party applications comprehensively. This should enable those people responsible for IT to decide whether the running of a third-party application is compatible with their corporate security regulations.
The focus of my Master’s thesis in turn was on the secure operation and monitoring of existing applications in the corporate environment. The primary question was: What possibilities exist for virtualizing Open Source applications and how is the security of the corporate environment guaranteed? Key components of the investigation included the state of the art of virtualization combined with security when running Linux.
Virtualization procedure with the Linux kernel
In terms of virtualization, we generally distinguish between two different procedures:
In the case of server virtualization, a complete guest operating system with shared, virtual resources is provided. The hypervisor administrates the required resources in an intermediate layer in order to assign real hardware to them. In this way, the virtual operation of servers also supplies the basis of cloud computing for the provision of computing capacities as a service.
Operating system virtualization
Compared with server virtualization, operating system virtualization does away with this intermediate layer and provides running processes on the same system but separate from each other. The existing functionality of the Linux kernel is employed to isolate processes and restrict their access rights. The shorter processing chain provides speed advantages, but also conceals extra risks. For example, the kernel cannot differentiate between the different root users of the guest and host systems.
Instead of running servers on the basis of the manufacturer’s installation CD, the application is merely provided bundled with the requisite dependencies in operating system virtualization. As such, it is extremely important to guarantee security when running third-party applications, as they use the same kernel.
Risk assessment using threat modeling based on the BSI guidelines
Threat modeling can be particularly helpful when assessing the risk of server virtualization compared with operating system virtualization. The threat modeling method I used was derived from the IT-Grundschutz Methodology published by the German Federal Office for Information Security (BSI).
The Master’s thesis investigated two damage scenarios: On the one hand the excessive strain on resources and on the other the breaking out from an isolated environment. Integrating these scenarios into a risk analysis makes it possible to assess the possible consequences for security. It is then possible to select the safeguarding countermeasures.
Tools for intensified security and monitoring
In the default setting, the Linux kernel can only differentiate between process accesses to files on the basis of user and group rights at reading, writing, and running level. However, this mechanism can be expanded for security upgrades using the Linux Security Modules (LSM) interface available in the Linux kernel. As this interface is integrated at kernel level, it works independently of the virtualization procedure employed when activated on a host system.
For the prototypic realization, Security-Enhanced Linux (SELinux) was used as the LSM security upgrade of the Linux kernel in order to increase the security. The additionally provided mandatory access control enables the Linux kernel of the host system to identify undesirable, privileged root user requests and to differentiate between the guest and host system. A Security Information and Event Management (SIEM) system was employed for the logging and detection of security breaches.
Both virtualization procedures were employed in parallel for the prototypes. KVM (Kernel-based Virtual Machine) provides the server virtualization via UVMM and Docker was used for the operating system virtualization. For SELinux the rules of the Docker policy were ported from Fedora to Debian and adapted. And OSSIM (the Open Source SIEM) was used as the SIEM system to generate alarm notifications from log files.
Summary and solution suggestion
While the server virtualization solution KVM for complete virtualization and the emulation of complete hardware systems can look back on ten years of development and further refinement since its launch in 2006, the operating system virtualization concept Docker for the encapsulation of processes or similar operating systems is still in its development stage. KVM’s strengths lie in the free selection of the virtualized operating system and the clear, secure partitioning.
Use of Docker is practical if only certain applications and required dependencies are to be run separately from the remainder. The Linux kernel used in this system by both the guest and host systems renders additional safeguarding at kernel level necessary. The use of SELinux via the existing Linux Security Modules (LSM) interface in the kernel as well as OSSIM for simultaneous evaluation of log files and display of any security breaches via alarm notifications can be a practical solution.
This constellation allows a company to separate existing applications in virtualized containers and run them safely with the help of Open Source tools.
For further information on my research and the findings it revealed, please consult my Master’s thesis.