threat-modeling.md

Threat Model Analysis for firecracker-microvm/firecracker

Threat: Threat: KVM Escape via CPU Vulnerability

• Description: An attacker in a guest VM exploits a vulnerability in the KVM hypervisor (e.g., a CPU flaw like Spectre, Meltdown, or a newly discovered KVM bug) to execute arbitrary code on the host system. The attacker crafts malicious input or code within the guest that triggers the vulnerability.
• Impact: Complete host system compromise. The attacker gains full control of the host, including access to all data, other VMs, and the ability to execute arbitrary commands.
• Firecracker Component Affected: KVM (Kernel-based Virtual Machine) – the underlying virtualization technology used by Firecracker. Specifically, the CPU virtualization extensions (Intel VT-x or AMD-V) and the KVM kernel module.
• Risk Severity: Critical
• Mitigation Strategies:
  • Host Kernel Updates: Immediately apply security patches to the host operating system's kernel. This is the primary defense against known KVM vulnerabilities.
  • Microcode Updates: Ensure the host CPU's microcode is up-to-date to mitigate CPU-level vulnerabilities.
  • Guest OS Hardening: Use a hardened guest OS with minimal attack surface.
  • Monitor for CVEs: Continuously monitor for CVEs related to KVM and the host CPU.

Threat: Threat: Virtio Device Escape (e.g., virtio-net)

• Description: An attacker in a guest VM exploits a vulnerability in the Firecracker implementation of a virtio device (e.g., virtio-net, virtio-blk, virtio-vsock). The attacker sends crafted network packets, block device requests, or vsock messages that trigger a bug in the device emulation code, leading to host code execution.
• Impact: Host system compromise. The attacker gains control of the host, similar to a KVM escape.
• Firecracker Component Affected: Specific virtio device implementations within Firecracker. For example, the net module (for virtio-net), the block module (for virtio-blk), or the vsock module.
• Risk Severity: Critical
• Mitigation Strategies:
  • Firecracker Updates: Apply security updates to Firecracker promptly. Virtio device vulnerabilities are often patched in Firecracker releases.
  • Minimize Device Usage: Only enable the virtio devices that are absolutely necessary. Disable unused devices.
  • Input Validation (Guest Side): If possible, implement input validation within the guest OS (defense-in-depth).
  • Rate Limiting (Network): For virtio-net, use Firecracker's rate limiting features.

Threat: Threat: Seccomp Filter Bypass

• Description: An attacker in a guest VM crafts a sequence of system calls that bypasses the intended restrictions of the Firecracker seccomp filter. This could be due to a logic flaw in the filter configuration or a vulnerability in the seccomp implementation itself.
• Impact: Increased attack surface on the host. The attacker gains access to system calls that should have been blocked, potentially enabling further exploitation. The severity depends on which system calls become available.
• Firecracker Component Affected: Firecracker's seccomp filter implementation and the specific seccomp profile used. This is primarily within the jailer process and the interaction with the libseccomp library.
• Risk Severity: High (potentially Critical if the bypass allows critical system calls)
• Mitigation Strategies:
  • Strict Seccomp Profiles: Use the most restrictive seccomp profile possible.
  • Regular Profile Review: Regularly review and audit the seccomp profile.
  • Testing: Thoroughly test the seccomp profile.
  • Firecracker Updates: Keep Firecracker updated.

Threat: Threat: Resource Exhaustion (CPU/Memory)

• Description: A malicious guest VM consumes all available CPU cycles or memory on the host, causing a denial-of-service (DoS) condition for other VMs and potentially the host itself.
• Impact: Denial of service for other VMs and potentially the host.
• Firecracker Component Affected: Firecracker's resource management features (cgroups integration). Specifically, the configuration of CPU and memory limits for each microVM.
• Risk Severity: High
• Mitigation Strategies:
  • Strict Resource Limits: Configure strict CPU and memory limits for each Firecracker microVM using the API.
  • Monitoring and Alerting: Implement monitoring to track CPU and memory usage.
  • Automatic Remediation: Consider automatically terminating or throttling VMs that exceed their limits.

Threat: Threat: Network DoS via virtio-net

• Description: A malicious guest VM floods the network, consuming all available bandwidth and preventing other VMs or the host from communicating effectively.
• Impact: Denial of service for network communication.
• Firecracker Component Affected: virtio-net device implementation and Firecracker's network configuration.
• Risk Severity: High
• Mitigation Strategies:
  • Rate Limiting: Use Firecracker's built-in rate limiting features for virtio-net.
  • Network Segmentation: If possible, isolate VMs on separate networks.
  • External Firewall: Use a firewall on the host or network.

Threat: Threat: Jailer Configuration Error (Chroot Escape)

• Description: A misconfiguration in the Firecracker jailer allows a process within the microVM to escape the chroot environment and access files or resources on the host filesystem.
• Impact: Potential host file system access. The severity depends on what files become accessible.
• Firecracker Component Affected: The jailer process and its configuration. Specifically, the chroot directory setup, UID/GID mapping, and cgroup settings.
• Risk Severity: High
• Mitigation Strategies:
  • Minimal Chroot: Ensure the chroot directory contains only the absolutely necessary files and directories.
  • Correct Permissions: Set appropriate file permissions within the chroot.
  • UID/GID Mapping: Carefully configure UID/GID mapping.
  • Jailer Updates: Keep the jailer (and Firecracker) updated.
  • Regular Audits: Regularly audit the jailer configuration.