Open-source hypervisors have emerged as an integral technology for virtualizing server resources in cloud and data center computing. Hypervisor security efficiency is determined by virtual machine isolation, which is a de facto adoption factor in the selection process, as well as its ability to respond to web attacks. This paper assesses the security performance of Proxmox VE and XenServer for type 1 hypervisors, and Kernel Virtual Machine and Oracle Virtual Box for type 2 hypervisors. Security analysis was conducted using common exposures extracted from vulnerability databases and mapped against the OWASP 2013 and 2017 projects. For clarity, experiments were carried out on a testbed with prebuilt virtual machines, each hosting one hypervisor installed as an attack target. Kali Linux was configured in one virtual machine to run recursive penetration testing for information gathering, vulnerability detection, penetration attempts, and exploitation of weak spots. The infrastructure was set in both homogeneous and heterogeneous execution environments, with a series of tests nested with each other. All four hypervisors are vulnerable to physical kernel isolation, as unprivileged users can gain root access and launch guest-to-guest and host-to-guest attacks. Among the two, guest-to-guest attacks were found to be more common than host-to-guest attacks, indicating that virtual machine isolation is weaker than the underlying host. Type 1 hypervisors have a lower rate of host-to-guest attacks than guest to-guest attacks, implying that XenServer and Proxmox VE provide better isolation than KVM and OVB due to the near-native speed, security, and efficiency of their virtual machines. All four hypervisors were found to be vulnerable to buffer overflow exploits and error-triggering sensitive information leaks, which were primarily caused by adopter default misconfigurations in the deployment process rather than software design flaws. This implies that greater efforts are required by open-source adopters when shifting from physical to virtual computing.
Read full abstract