Chapter 1 Oracle VM Server for SPARC Security Overview
Security Features Used by Oracle VM Server for SPARC
Oracle VM Server for SPARC Product Overview
Applying General Security Principles to Oracle VM Server for SPARC
Security in a Virtualized Environment
Securing the Execution Environment
Threat: Unintentional Misconfiguration
Countermeasure: Creating Operational Guidelines
Threat: Errors in the Architecture of the Virtual Environment
Countermeasure: Carefully Assigning Guests to Hardware Platforms
Countermeasure: Planning an Oracle VM Server for SPARC Domain Migration
Countermeasure: Correctly Configuring Virtual Connections
Countermeasure: Using VLAN Tagging
Countermeasure: Using Virtual Security Appliances
Threat: Side Effects of Sharing Resources
Evaluation: Side Effects Through Shared Resources
Countermeasure: Carefully Assigning Hardware Resources
Countermeasure: Carefully Assigning Shared Resources
Summary: Side Effects Through Shared Resources
Threat: Manipulation of the Execution Environment
Evaluation: Manipulation of the Execution Environment
Countermeasure: Securing Interactive Access Paths
Countermeasure: Minimizing the Oracle Solaris OS
Countermeasure: Hardening the Oracle Solaris OS
Countermeasure: Using Role Separation and Application Isolation
Countermeasure: Configuring a Dedicated Management Network
Threat: Complete System Denial-of-Service
Evaluation: Complete System Denial-of-Service
Countermeasure: Securing the ILOM
Threat: Breaking the Isolation
Evaluation: Breaking the Isolation
Threat: Control Domain Denial-of-Service
Evaluation: Control Domain Denial-of-Service
Countermeasure: Securing Console Access
Threat: Unauthorized Use of Configuration Utilities
Evaluation: Unauthorized Use of Configuration Utilities
Countermeasure: Applying the Two-Person Rule
Countermeasure: Using Rights for the Logical Domains Manager
Countermeasure: Hardening the Logical Domains Manager
Countermeasure: Auditing the Logical Domains Manager
Threat: Manipulation of a Service Domain
Evaluation: Manipulation of a Service Domain
Countermeasure: Granularly Segregating Service Domains
Countermeasure: Isolating Service Domains and Guest Domains
Countermeasure: Restricting Access to Virtual Consoles
Threat: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain
Evaluation: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain
Countermeasure: Granularly Configuring I/O Domains
Countermeasure: Configuring Redundant Hardware and Root Domains
Threat: Manipulation of an I/O Domain
Evaluation: Manipulation in an I/O Domain
Countermeasure: Protecting Virtual Disks
Countermeasure: Securing the Guest Domain OS
Chapter 2 Secure Installation and Configuration of Oracle VM Server for SPARC
The hypervisor is the firmware layer that implements and controls the virtualization of real hardware. The hypervisor includes the following components:
Actual hypervisor, which is implemented in firmware and supported by the systems' CPUs.
Kernel modules that run in the control domain to configure the hypervisor.
Kernel modules and daemons that run in I/O domains and service domains to provide virtualized I/O, as well as the kernel modules that communicate by means of Logical Domain Channels (LDCs).
Kernel modules and device drivers that run in the guest domains to access virtualized I/O devices as well as the kernel modules that communicate by means of LDCs.
An attacker can hijack guest domains or the entire system by breaking out of the isolated runtime environment provided by the hypervisor. Potentially, this threat can cause the most severe damage to a system.
A modular system design can improve isolation by granting different levels of privileges to guest domains, the hypervisor, and the control domain. Each functional module is implemented in a separate and configurable kernel module, device driver, or daemon. This modularity requires clean APIs and simple communication protocols, reducing the overall risk for error.
Even if exploitation of an error seems unlikely, the potential damage can lead to the attacker controlling the entire system.
Even though you can download system firmware and OS patches directly from an Oracle web site, these patches can be manipulated. Before you install the software, ensure that you verify the MD5 checksums of the software packages. The checksums of all downloadable software is published by Oracle.
Oracle VM Server for SPARC uses several drivers and kernel modules to implement the overall virtualization system. All kernel modules and most binaries that are distributed with the Oracle Solaris OS carry a digital signature. Use the elfsign utility to check the digital signature for each kernel module and driver. You can use the Oracle Solaris 11 pkg verify command to check the integrity of Oracle Solaris binary. See https://blogs.oracle.com/cmt/entry/solaris_fingerprint_database_how_it.
First, you must establish the integrity of the elfsign utility. Use the basic audit and reporting tool (BART) to automate digital signature verification process. Integrating BART and the Solaris Fingerprint Database in the Solaris 10 Operating System describes how to combine BART and the Solaris Fingerprint Database to automatically perform similar integrity checks. Although the fingerprint database has been discontinued, the concepts described in this document can be carried over to use elfsign and BART in a similar manner.