Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud

    Google Touts Security Measures for Its Open Source Hypervisor

    By
    Jaikumar Vijayan
    -
    January 27, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Google Cloud Security 2

      Google has often touted the various management and security capabilities available with its cloud services as part of an ongoing campaign to convince businesses about the enterprise readiness of its hosted offerings.

      Continuing in that vein, the company this week offered some fresh details on the multiple security measures it has in place for hardening the open-source KVM (Kernel-based Virtual Machine) hypervisor at the core of its Compute Engine and Container Engine services.

      In a blog, Google’s technical lead manager Andy Honig and senior product manager Nelly Porter outlined seven high-level security controls that Google employs for protecting KVM. They include processes for reducing the attack surface of the hypervisor, code provenance measures for ensuring the integrity of the code running in KVM, controlled software releases and updates and a systematic process for discovering and patching vulnerabilities in the software.

      For example, to reduce attack surface on KVM, Google has limited the set of emulated instructions supported by the hypervisor and purged many unused components in it, including certain controllers and legacy drivers.

      Similarly, to ensure code provenance Google verifies the integrity of its code all the way from guest virtual machines used by customers to the hypervisor and down to the boot-loader using a custom binary and configuration verification system.

      The processes that Google employs to ensure the integrity of its code ensure that machines always boot to a known and previously verified good state, the two Google engineers asserted.

      One important measure that Google has taken to mitigate security risks with KVM is to develop and use its own user-space virtual machine monitor and hardware emulator in place of the open source Quick Emulator (QEMU).

      About two years ago, a bug in a virtual floppy disk controller in QEMU resulted in a critical vulnerability dubbed VENOM that gave attackers a way to take full administrative control of the underlying operating system that hosted guest machines in a virtual environment.

      The custom emulator that Google has developed is far less complex and simpler than QEMU because it is designed for a single architecture and a relatively small number of devices, Honig and Porter wrote.

      The in-house emulator does not support the large matrix of host and guest systems that QEMU does or its cross-architecture host and guest configurations. This makes the Google emulator easier to test and protect they said. “QEMU has a long track record of security bugs, such as VENOM, and it’s unclear what vulnerabilities may still be lurking in the code.”

      In addition to such measures, Google has also built a substantial set of fuzzing tools to look for vulnerabilities in KVM each time new features and capabilities are added. Google also uses a formal code review process each time it adopts a new version or a feature of KVM. The measures, according to Honig and Porter, have allowed Google to find and fix a total of nine vulnerabilities in KVM over the past three years.

      Over the same period, the open source community has found no vulnerabilities in the hypervisor that have impacted the Google Cloud platform, they added.

      Jaikumar Vijayan
      Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×