misc: Add threat model#7875
Conversation
DemiMarie
force-pushed
the
security
branch
2 times, most recently
from
d7a6534 to
86c0caf
Compare
alyssais
left a comment
alyssais
left a comment
There was a problem hiding this comment.
It is going to be fantastic to have this.
|
Who should be on the security team? What are the criteria for becoming a member of the security team? |
likebreath
left a comment
likebreath
left a comment
There was a problem hiding this comment.
@DemiMarie Thank you for driving this effort.
Overall, I think we should split this PR and focus on the threat model for now — supported configurations and advisory handling should be separate follow-up PRs.
My main feedback on the threat model is around organization. The goal is to make the document structured enough to be easy to follow today and easy to maintain as Cloud Hypervisor evolves — when a new component is added, it should be clear where it fits and what security properties it needs.
Currently, vulnerability outcomes (privilege escalation, DoS, info leaks), attack surfaces (disk images, PCI, network/storage), and trust boundaries (guest userspace, vhost-user) are intermixed, which makes the document harder to navigate than it needs to be. One approach would be:
- Trust boundaries — who is trusted and who isn't
- Attack surfaces — what can attackers interact with
- Security-relevant outcomes — what we consider a vulnerability (and not)
That said, this is just one option. Open to other ideas on how to best structure the threat model.
phip1611
left a comment
phip1611
left a comment
There was a problem hiding this comment.
I'm not very familiar with documents like this yet. However, it's probably a good idea to have one.
However, it's likely beneficial to have one in place. Thank you for your great work!
Left a few remarks
|
|
||
| ### Privilege escalation (VM escape) | ||
|
|
||
| Guest VMs running in Cloud Hypervisor are assumed untrusted. |
There was a problem hiding this comment.
very nit. line width seems to be pretty arbitrary here.
I personally limit all documents I write to a width of 80
| ### Denial of service | ||
|
|
||
| Cloud Hypervisor is a standalone executable, not a library, | ||
| and only runs one guest throughout the entire lifetime |
There was a problem hiding this comment.
nit
nly runs one guest throughout the entire lifetime
strictly speaking it runs 0..=1 guest at any time, depending on the configuration
DemiMarie
force-pushed
the
security
branch
2 times, most recently
from
bb6c5e2 to
197f148
Compare
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
I'm a bit confused - it seems to just have a threat model file and no security policy? e.g. how to handle potential issues.
phip1611
left a comment
phip1611
left a comment
There was a problem hiding this comment.
I'm more of an implementation-focused engineer than an expert in specifications or formal documents, so please feel free to ignore my comments if they are not useful. I can see how such a document might be beneficial, but I don’t have a strong opinion either way since this is not really my area of expertise.
|
|
||
| Cloud Hypervisor cannot protect itself or the host from hardware | ||
| vulnerabilities. This is entirely the responsibility of the hardware, firmware, | ||
| and Linux kernel. If Linux is running under another hypervisor (using nested |
There was a problem hiding this comment.
| and Linux kernel. If Linux is running under another hypervisor (using nested | |
| and the Linux kernel. If Linux is running under another hypervisor (using nested |
| Cloud Hypervisor cannot protect itself or the host from hardware | ||
| vulnerabilities. This is entirely the responsibility of the hardware, firmware, | ||
| and Linux kernel. If Linux is running under another hypervisor (using nested | ||
| virtualization), it is also the responsibility of that hypervisor. |
There was a problem hiding this comment.
If Linux is running under another hypervisor it is also the responsibility of that hypervisor.
I'd rewrite this to be more general or omit the nesting part entirely. You ALWAYS depend on the broader runtime environment executing your code. May it be silicon/physical hardware, emulation, nested virtualization or a potential future quantum computer. Also you could run under a Linux-like kernel.
| and Linux kernel. If Linux is running under another hypervisor (using nested | ||
| virtualization), it is also the responsibility of that hypervisor. | ||
|
|
||
| Cloud Hypervisor assumes that Linux is configured to prevent the guest |
There was a problem hiding this comment.
Cloud Hypervisor assumes that Linux is configured to prevent the guest
from reading or writing to memory belonging to the kernel or other userspace
processes.
this sounds like its a typical pitfall to misconfigure your linux. Instead, I'd say the environment must follow common best practices for proper isolation.
|
This PR seems stuck? What's required to move forward with this? Is the scope too great? |
|
@rbradford It was blocked on the public disclosure of GHSA-f47p-p25q-83rh, as I want to include lessons learned from that. |
This adds a threat model and security policy based on the Xen Project Security Policy. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
rbradford
left a comment
rbradford
left a comment
There was a problem hiding this comment.
Thank you for working on this!
|
|
||
| Cloud Hypervisor does not protect itself from malicious callers. | ||
| In particular, it is not safe to run Cloud Hypervisor SUID, SGID, | ||
| or with Linux capabilities attached to its executable file. |
There was a problem hiding this comment.
Well, I think our instructions tell our user to set CAP_NET_ADMIN to create the tap device.
| - An HTTP API. | ||
| - A D-Bus API. | ||
| - If backing files are enabled (they are disabled by default), | ||
| the name of the backing file of a qcow2 image. |
There was a problem hiding this comment.
It's not really controlled by this? Also if you're talking like that the guest can control the VMM via e.g. virtio-balloon having it punch holes, etc.
| the guest it is running. The guest may cause Cloud Hypervisor to crash | ||
| in a non-exploitable way, such as a Rust panic. Cloud Hypervisor assumes | ||
| that a guest doing this only hurts itself. | ||
|
|
There was a problem hiding this comment.
A situation where userspace code can cause this to happen is something that we do consider an issue.
There was a problem hiding this comment.
I will clarify that I mean guest kernel code.
| It is not safe to use a userspace driver for a device provided by Cloud | ||
| Hypervisor *except* on Arm64 with a virtio IOMMU. Even then, the | ||
| userspace driver can still cause Cloud Hypervisor (and thus the guest) | ||
| to crash. |
There was a problem hiding this comment.
I don't understand what this means?
There was a problem hiding this comment.
The PCI emulation code is buggy and bad accesses can cause panics.
| responsible for its contents and for filtering out false positives. As | ||
| an exception, reports from Miri, Valgrind, or sanitizers can generally | ||
| be assumed correct. |
|
|
||
| - Microsoft | ||
| - Crusoe | ||
| - Cyberus Technology |
There was a problem hiding this comment.
- Meta
- UbiCloud
Do we really need to list them here - seems it would get stale quickly?
|
Would someone like to take this over an reopen it? |
|
@rbradford me! |
7 participants
This adds a security policy based on the Xen Project Security Policy.