Mitigation-page

MID-023: Hypervisor Hardening

Mitigation Tier: Intermediate

Description

Highly privileged hypervisor software is required to orchestrate and manage the execution of multiple virtual machines. The hypervisor brokers the access guest VMs have to virtual and physical hardware resources and any support services implemented by the hypervisor itself. Because of its privilege level, the hypervisor must be hardened against comprise, a multi-faceted process that can involve multiple technical controls to increase hypervisor security.

Hypervisor-side software components that help implement hypervisor service APIs and the virtual hardware devices exposed to guest VMs should be isolated and sandboxed with minimal privileges to constrain any compromise of those components from spreading to more privileged domains within the hypervisor context. For example, in a hypervisor/host-OS combination based on Linux’s KVM features, the software processes implementing each VM could be run with reduced privileges and under a restrictive SELinux policy [4].

In an embedded systems context, the configuration of the hypervisor and guest VMs is likely to be relatively static with no need to dynamically stop, start, or alter the configurations of VMs during runtime. In that case the hypervisor software and its configurations could be stored in immutable memory to the extent possible and only allowed to be changed as a result of the device’s secure update mechanism.

Hypervisor software and data should also be integrated into the secure boot process to ensure its integrity before the device starts, as can be seen in MID-002 - Hardware-backed Bootloader Authentication. This can be done by placing bootloader-time integrity checks over the hypervisor to ensure that hypervisor code is safe to run according to factory or user-defined signatures.

IEC 62443 4-2 Mappings

  • CR 7.7 – Least functionality

  • CR 2.1 – Authorization enforcement (1) Authorization enforcement for all users (humans, software processes and devices)

References

[1] E. Kou. “Virtualization for embedded industrial systems.” ti.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.ti.com/lit/wp/spry317b/spry317b.pdf

[2] BlackBerry. “What Is Virtualization for Embedded Systems?.” qnx.com. Accessed: Aug. 28, 2024. [Online.] Available: https://blackberry.qnx.com/en/ultimate-guides/embedded-system-security/virtualization-for-embedded-systems

[3] ARM. “Secure virtualization.” arm.com. Accessed: Aug. 28, 2024. [Online.] Available: https://developer.arm.com/documentation/102142/0100/Secure-virtualization

[4] RedHat. “Chapter 4. sVirt.” redhat.com. Accessed: Aug. 28, 2024. [Online.] Available: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/virtualization_security_guide/chap-virtualization_security_guide-svirt