Skip to content

Latest commit

 

History

History
113 lines (100 loc) · 7.79 KB

mitigations.md

File metadata and controls

113 lines (100 loc) · 7.79 KB

Mitigation Strategies Analysis for firecracker-microvm/firecracker

Mitigation Strategy: Seccomp Filtering (System Call Filtering)

  • Mitigation Strategy: Restrict the system calls the Firecracker VMM process can make.
    • Description:
      1. Identify Allowed System Calls: Analyze the Firecracker source code and documentation (and potentially use strace) to determine the minimum set of system calls required for Firecracker's operation.
      2. Create Seccomp Profile: Create a JSON file that defines the seccomp-bpf filter. This file will specify a whitelist of allowed system calls and a default action (e.g., SCMP_ACT_ERRNO(EPERM)) for all other system calls.
      3. Apply Seccomp Filter: Use the --seccomp-filter option when launching Firecracker, providing the path to the JSON file.
      4. Test Extensively: Thoroughly test the application with the seccomp filter. Monitor for errors, adjusting the filter as needed.
      5. Regular Review: Periodically review the seccomp profile for updates and improvements.
    • Threats Mitigated:
      • VMM Exploits (Severity: High): Limits exploitation of vulnerabilities in the Firecracker VMM.
      • MicroVM Escape (Severity: Critical): Reduces the risk of VM escape by restricting VMM access to the host kernel.
    • Impact:
      • VMM Exploits: Significantly reduces the risk (High impact).
      • MicroVM Escape: Significantly reduces the risk (High impact).
    • Currently Implemented:
      • Example: Not implemented.
    • Missing Implementation:
      • Example: Create and apply a seccomp profile to all Firecracker instances.

Mitigation Strategy: Reduced Device Exposure

  • Mitigation Strategy: Minimize the number of devices exposed to the guest VM via Firecracker's configuration.
    • Description:
      1. Identify Essential Devices: Determine the absolute minimum devices needed (usually virtio-net and virtio-block).
      2. Configure Firecracker: When launching Firecracker, use command-line options or API calls to specify only the essential devices. Do not add unnecessary devices.
      3. Test: Thoroughly test the guest application.
    • Threats Mitigated:
      • Device Driver Exploits (Severity: High): Reduces exploitable device drivers within the guest.
      • MicroVM Escape (Severity: Critical): Limits the attack surface for escaping via device driver vulnerabilities.
    • Impact:
      • Device Driver Exploits: Significantly reduces the risk (High impact).
      • MicroVM Escape: Significantly reduces the risk (High impact).
    • Currently Implemented:
      • Example: Partially implemented. Only virtio-net and virtio-block are exposed, but further investigation is needed.
    • Missing Implementation:
      • Example: Review Firecracker configuration and startup scripts.

Mitigation Strategy: Regular Firecracker Updates

  • Mitigation Strategy: Keep Firecracker itself up-to-date.
    • Description:
      1. Subscribe to Notifications: Subscribe to the Firecracker security mailing list and vulnerability databases.
      2. Monitor for Updates: Regularly check for new Firecracker releases.
      3. Automated Updates (Ideal): Integrate Firecracker updates into your CI/CD pipeline.
      4. Manual Updates (If Necessary): Establish a process for manually updating Firecracker instances.
    • Threats Mitigated:
      • Known Vulnerabilities (Severity: Variable, often High or Critical): Protects against known Firecracker vulnerabilities.
    • Impact:
      • Known Vulnerabilities: Eliminates the risk from known, patched vulnerabilities (High impact).
    • Currently Implemented:
      • Example: Partially implemented. Manual checks are performed, but no automation.
    • Missing Implementation:
      • Example: Implement automated updates.

Mitigation Strategy: Resource Limits (via Firecracker's cgroup integration)

  • Mitigation Strategy: Limit resources available to each Firecracker instance using Firecracker's cgroup features.
    • Description:
      1. Define Resource Limits: Determine appropriate limits for CPU, memory, disk I/O, and network bandwidth.
      2. Configure cgroups (via Firecracker): Use Firecracker's built-in cgroup support (command-line options).
      3. Test and Monitor: Test with limits and monitor resource usage.
    • Threats Mitigated:
      • Denial of Service (DoS) (Severity: High): Prevents resource exhaustion impacting other VMs or the host.
      • Resource Exhaustion (Severity: Medium): Protects against resource exhaustion within a VM.
    • Impact:
      • Denial of Service (DoS): Significantly reduces the risk (High impact).
      • Resource Exhaustion: Significantly reduces the risk (High impact).
    • Currently Implemented:
      • Example: Basic memory limits via --memory-size. No limits on CPU, disk I/O, or network.
    • Missing Implementation:
      • Example: Implement comprehensive limits using cgroups for CPU, disk I/O, and network.

Mitigation Strategy: Disable Unnecessary Firecracker Features

  • Mitigation Strategy: Turn off unused Firecracker features directly through its configuration.
    • Description:
      1. Review Documentation: Review Firecracker documentation and command-line options.
      2. Identify Unused Features: Determine which features are not required (e.g., metrics, logging to a socket).
      3. Disable Features: Use command-line options or configuration to disable them.
      4. Test: Thoroughly test after disabling features.
    • Threats Mitigated:
      • Vulnerabilities in Unused Features (Severity: Variable): Reduces the attack surface.
    • Impact:
      • Vulnerabilities in Unused Features: Reduces the risk (Medium to High impact).
    • Currently Implemented:
      • Example: Metrics collection is disabled. Other features not reviewed.
    • Missing Implementation:
      • Example: Comprehensive review of all Firecracker features.

Mitigation Strategy: Jailer Usage (If Applicable - Direct Firecracker Tool)

  • Mitigation Strategy: Properly configure and use the jailer.
    • Description:
      1. Understand Jailer: Familiarize yourself with jailer.
      2. Configure Chroot: Define a minimal chroot environment.
      3. Configure Cgroups: Set resource limits (CPU, memory, etc.).
      4. Configure Namespaces: Use namespaces for isolation.
      5. Test Thoroughly: Test with jailer enabled.
      6. Regular Review: Periodically review the configuration.
    • Threats Mitigated:
      • VMM Exploits (Severity: High): Additional confinement for the VMM.
      • MicroVM Escape (Severity: Critical): Restricts VMM access to the host.
    • Impact:
      • VMM Exploits: Reduces the risk (Medium to High impact).
      • MicroVM Escape: Reduces the risk (Medium impact).
    • Currently Implemented:
      • Example: The jailer is not currently used.
    • Missing Implementation:
      • Example: Evaluate and potentially implement jailer.