Risker med virtualisering av IT-system

Authors:

  • Daniel Eidenskog
  • Martin Karresand

Publish date: 2017-08-16

Report number: FOI-R--4448--SE

Pages: 46

Written in: Swedish

Keywords:

  • Trustworthy IT systems
  • virtualization
  • virtual machine
  • IT security risk
  • vulnerability

Abstract

Virtualization of IT systems is a mature and wide-spread technology, used for large data centers as well as smaller systems. Virtualization provides several advantages for operations, but also incurs risks. This report gives an overview of virtualization, focusing on risks and vulnerabilites that may arise in virtualized environments. This report mainly covers so called system virtualization, where the virtual environment corresponds to a physical computer. The study is based on a literature study, collecting surveys on vulnerabilities in virtualization software. The objective of the study is to present vulnearabilites that have been reported in well-used virtualization software, with the intent to give an understanding of the risks brought by virtualization technology. Virtualized environments typically include all vulnerabilities that are present in the corresponding physical environments. Virtualization also adds software to the system in order to create the virtualized environment, uphold the separation between virtual machines, and present a suitable "hardware-like" interface to the virtual machines. The added software may contain vulnerabilities, which provide further attack surfaces. Examples of added risks when using virtualization include possible information leakage between virtual machines and that virtual machines may affect each other in undesirable ways. The risk that an attack renders more widespread consequences in a virtual environment is generally higher compared to systems built using physically separated machines. The risk may be acceptable in certain cases, considering the advantages provided by virtualization. In other cases, for example where the separation protects highly classified information, the risk is too high with today's virtualization techniques. Careful risk assesment is essential to ensure a suitable risk level when using virtualization.

Share page on social media