Skip to content

Latest commit

 

History

History
63 lines (52 loc) · 4.99 KB

threat-modeling.md

File metadata and controls

63 lines (52 loc) · 4.99 KB

Threat Model Analysis for firecracker-microvm/firecracker

Threat: Host Kernel Vulnerability Exploitation

  • Description: An attacker within a guest microVM exploits a vulnerability in the host kernel. This allows them to escape the microVM boundary and gain control over the host operating system. The attacker might then install malware, steal sensitive data, or cause a denial of service.
  • Impact: Full host compromise, potential data breach across all microVMs on the host, denial of service affecting all microVMs and host services, lateral movement to other systems.
  • Firecracker Component Affected: Host Kernel (KVM subsystem, system call interface)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Regularly patch and update the host kernel.
    • Implement kernel hardening measures.
    • Minimize the host kernel attack surface.
    • Utilize a security-focused Linux distribution.

Threat: Firecracker VMM Vulnerability Exploitation

  • Description: An attacker within a guest microVM exploits a vulnerability in the Firecracker Virtual Machine Monitor (VMM) itself. This could be a bug in the VMM's code handling guest requests or resource management. Successful exploitation can lead to guest escape, denial of service of the VMM or host, or information disclosure.
  • Impact: Guest escape, host compromise, denial of service of Firecracker or the host, information disclosure from the host or other microVMs.
  • Firecracker Component Affected: Firecracker VMM (core VMM process, API handlers, device emulation code)
  • Risk Severity: High
  • Mitigation Strategies:
    • Keep Firecracker updated to the latest stable version.
    • Conduct regular security audits and penetration testing.
    • Follow Firecracker security best practices.
    • Report any discovered vulnerabilities to the Firecracker security team.

Threat: Guest Escape via KVM/Virtualization Subsystem

  • Description: An attacker exploits a vulnerability in the underlying KVM virtualization subsystem. This could involve bugs in KVM's core virtualization logic or memory management. Successful exploitation allows the attacker to bypass Firecracker's isolation and directly interact with the host system.
  • Impact: Guest escape, host compromise, denial of service, potential for data breaches.
  • Firecracker Component Affected: KVM Virtualization Subsystem (used by Firecracker)
  • Risk Severity: High
  • Mitigation Strategies:
    • Ensure KVM components are updated as part of host kernel updates.
    • Keep hardware firmware updated.
    • Properly configure and enable IOMMU/VT-d.

Threat: Insecure Firecracker API Access and Misconfiguration

  • Description: The Firecracker API, used to manage microVMs, is exposed without proper authentication or authorization, or is misconfigured. An attacker gaining network access to the API could manipulate microVMs, potentially leading to denial of service by shutting down VMs, data breaches by accessing VM resources, or even host compromise if API vulnerabilities are exploited.
  • Impact: Unauthorized VM control, denial of service (VM manipulation), data breaches (if API exposes sensitive data or allows access to VM resources), potential host compromise if API vulnerabilities are severe.
  • Firecracker Component Affected: Firecracker API (API server, API endpoints, authentication/authorization mechanisms)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement strong authentication and authorization for the Firecracker API.
    • Use TLS/HTTPS to encrypt all API communication.
    • Apply the principle of least privilege to API access.
    • Thoroughly validate all input to the Firecracker API.
    • Regularly audit API security configurations.
    • Restrict network access to the Firecracker API.

Threat: Supply Chain Compromise of Firecracker Binaries

  • Description: Malicious actors compromise the Firecracker binary distribution or its dependencies. Users downloading and using compromised binaries would then unknowingly deploy malware into their infrastructure.
  • Impact: Widespread compromise of systems using the compromised Firecracker version, potentially leading to data breaches, host compromise, and denial of service across many deployments.
  • Firecracker Component Affected: Firecracker Distribution Channels (GitHub releases, package repositories), Build System, Dependencies
  • Risk Severity: High
  • Mitigation Strategies:
    • Verify digital signatures of Firecracker binaries and packages.
    • Download Firecracker from official and trusted sources.
    • Regularly scan Firecracker dependencies for known vulnerabilities.
    • Consider building Firecracker from source and auditing the build process.