Mitigation-page

MID-022: Segmentation Through Hardware-assisted VMs

Mitigation Tier: Intermediate

Description

Virtual machines increase the level of isolation for software and data by virtualizing and partitioning device hardware and running their own dedicated operating system kernel (unlike containers that share a kernel). This provides stronger separation than kernel-based containers (MID-015) or process separation (MID-013) but at the cost of higher performance overhead. Software compromises will be contained within a VM even if the threat actor can successfully exploit a privilege escalation vulnerability in the OS kernel within a given VM, protecting any code or data present in other VMs.

Hardware-assisted Virtual Machines (VMs) take advantage of CPU extensions that specifically support virtualization use cases to enforce strict separation between VMs’ RAM and other resources. A hypervisor can utilize these CPU features to provide a high degree of assurance in that separation with relatively little performance overhead compared to a fully software-based VM scheme. More advanced hardware features extend the hardware-based separation to I/O device access by extending the functionality of IOMMU features (see MID-053).

Note: Implementing this mitigation will likely expose devices to threats associated with PID-242 - Device includes hypervisor.

IEC 62443 4-2 Mappings

  • CR 2.1 – Authorization enforcement (1) Authorization enforcement for all users (humans, software processes and devices)

References

[1] OpenSystems Media. “Embedded virtualization: Latest trends and techniques.” embeddedcomputing.com. Accessed: Aug. 28, 2024. [Online.] Available: https://embeddedcomputing.com/technology/processing/embedded-virtualization-latest-trends-and-techniques

[2] BlackBerry. “What Is Virtualization for Embedded Systems?.” qnx.com. Accessed: Aug. 28, 2024. [Online.] Available: https://blackberry.qnx.com/en/ultimate-guides/embedded-system-security/virtualization-for-embedded-systems

[3] E. Kou. “Virtualization for embedded industrial systems.” ti.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.ti.com/lit/wp/spry317b/spry317b.pdf

[4] openstack. “Hardening the virtualization layers.” openstack.org. Accessed: Aug. 28, 2024. [Online.] Available: https://docs.openstack.org/security-guide/compute/hardening-the-virtualization-layers.html