Virtual systems provide the benefit of running multiple systems on the same machine. One type of virtualization is process-based virtualization. In process-based virtualization, every virtual machine is instantiated within a regular process. One type of process-based virtualization is the kernel-based virtual machine (KVM) infrastructure utilized by Linux. Under KVM's model, each virtual machine (also known as a guest) is a regular Linux process scheduled by the standard Linux scheduler. A normal Linux process has two modes of execution: kernel and user. KVM adds a third mode, a guest mode that has its own kernel and user modes. In addition, KVM may utilize a library called “libvirt” that provides interaction with virtualization capabilities of the kernel.
However, a problem faced by process-based virtualization, including KVM, is that, due to consolidating different processes on the same physical hardware, each individual virtual machine (VM) becomes exposed to security threats from other virtual machines on the system. Previously, a user's system ran on its own separate physical hardware and as such was protected from attacks from other user systems operated outside of the physical hardware. Once consolidated in a virtualization environment, if a controlling entity breaks out of its virtualized system, the controlling entity could attack another VM running on the same server or machine and gain access to private data and other important resources of the other VM.
The current state of process-based virtualization provides minimal security between virtual machines (also known as guests). All guests are launched as the same user and with the same security class, and as such, are not protected from each other. If a controlling entity of a guest was able to break out of its virtualization domain into the hypervisor via a kernel bug, the entity would be able to access the memory and resources of other domains.
Protection currently exists between the host system and its guests via security labels that control access between applications running. The host is assigned a different label than its guests, and access between the host and guests is mediated as defined by the controlling security label policy in the kernel. However, the only security measure that is currently in place for guests in a process-based virtualization system is the typical memory protections offered by the underlying system. For instance, Security Enhanced Linux (SELinux) employs a security system between host and guests by deploying controls that prevent a qemu process from attacking the host machine, but do not prevent it from attacking other images on the host machine, or other qemu processes running other VMs. Therefore, a mechanism to protect virtual machines from one another in a process-based virtualization system would be beneficial.