Xen Hypervisor Update Includes Key Security Upgrades
Sponsored by The Linux Foundation, the Xen Project’s latest release includes important fixes to resolve the Meltdown and Spectre cache side-channel attack vulnerabilities that emerged earlier in 2018, as well as new PVH-related functions that further improve security by reducing the potential attack surface of Xen from invaders.
“The Xen Project community worked swiftly to address the security needs of Spectre and Meltdown and continued to match its goals in adding significant features to this release,” Lars Kurth, chairperson of the Xen Project Advisory Board, said. “The latest features in this release around PVH functionality bring better security, performance and management to the hypervisor.”
The PVH function is a combination of the best parts of two previous virtualization techniques – PV, or paravirtualization – and HVM, or hardware-assisted virtualization. The idea of PVH, according to the Xen Project, is to simplify the interface between operating systems with Xen Project support and the Xen hypervisor.
“PVH guests are lightweight HVM guests that use hardware virtualization support for memory and privileged instructions,” according to the group.
The latest version of the hypervisor is built to meet the long-term development goals of the project, which aims for less code; a smaller trusted computing base; less complexity; ease of maintenance; and better performance and scalability, project leaders say. To work toward those goals, version 4.11 has had many of its core technologies re-architected, including things like x86 support, device emulation and boot sequence.
To prevent cache side-channel attacks from the Meltdown and Spectre vulnerabilities, new mitigations are included in the latest version, such as a performance optimized XPTI — which is Xen’s equivalent to Kernel page-table isolation (KPTI). Only “classic PV” guests need XPTI, whereas HVM and PVH cannot attack the hypervisor via Meltdown, according to the project. In addition, a new branch-predictor hardening framework was added for x86 CPUs using Intel or AMD microcode related to Spectre attacks.
Also added to Xen 4.11 is scheduler optimization, support for memory-bandwidth allocation (MBA), which is used to slow misbehaving virtual machines, emulator enhancements and guest resource mapping capabilities.
Dan Olds, an analyst with Gabriel Consulting Group, told Channel Futures that the new version of Xen includes improvements that will benefit channel partners and their customers.
“A big part of this update is mitigation against Meltdown and Spectre vulnerabilities arising from security holes in current and past CPUs, ” he said. “A channel partner should be reaching out to their Xen-using customers and discussing how they can help them upgrade to this latest version of Xen and thus guard against any Spectre or Meltdown based attacks.”
Olds called the reduction of the Xen code base by 1 million lines in version 4.11 “outstanding,” adding that the code reduction “improves performance and, more importantly, reduces the attack surface available to an attacker.”
When talking to their customers, “partners should discuss how a Xen-based virtualization infrastructure can radically improve the utilization rate on the customer’s servers — meaning they get much more work done with their existing servers,” said Olds. “It’s like getting an upgrade without having to spend money on new boxes. With Xen, customers can set the systems up so that each application gets the compute resources they need to meet business goals, when they need it, without operator intervention.”
At the same time, channel partners should also talk with customers about Xen’s enhanced security features, emphasizing the fixes for Meltdown and Spectre, he said.
Another analyst, Gary Chen of IDC, said that while the security changes and updates are welcome, it will be about six months before the new Xen 4.11 code is distributed and used in commercial products available to customers from vendors. Today it is available through open-source communities but has yet to be integrated into commercial products based on Xen.
The introduction of the PVH support is “really a security thing, reducing the attack surface and reducing the amount of code,” said Chen. “That’s a key for mitigating attacks like Spectre and Meltdown.”
Used by more than 10 million users, the Xen Project hypervisor powers some of the largest clouds in production today by companies such as Amazon Web Services, Tencent, Alibaba Cloud, Oracle Cloud and IBM SoftLayer, according to the organization. Xen also provides the base code for commercial virtualization products from Citrix, Huawei, Inspur and Oracle, and security products from Qubes OS, A1Logic, Bitdefender, Star Lab’s Crucible Hypervisor, Zentific and Dornerwork’s Virtuosity. Xen Project software is licensed under the GPLv2, like the licensing for the Linux kernel.