Assessment of Web Security Vulnerabilities for Common Open Source Virtualization Software

Authors

DOI:

https://doi.org/10.52339/tjet.v43i2.925

Keywords:

Virtualization, Open Source, Web Security Vulnerability, Hypervisor, Virtual Machine

Abstract

Open-source hypervisors have emerged as an integral technology for virtualizing server resources in cloud and data center computing. Hypervisor security efficiency is determined by virtual machine isolation, which is a de facto adoption factor in the selection process, as well as its ability to respond to web attacks. This paper assesses the security performance of Proxmox VE and XenServer for type 1 hypervisors, and Kernel Virtual Machine and Oracle Virtual Box for type 2 hypervisors. Security analysis was conducted using common exposures extracted from vulnerability databases and mapped against the OWASP 2013 and 2017 projects. For clarity, experiments were carried out on a testbed with prebuilt virtual machines, each hosting one hypervisor installed as an attack target. Kali Linux was configured in one virtual machine to run recursive penetration testing for information gathering, vulnerability detection, penetration attempts, and exploitation of weak spots. The infrastructure was set in both homogeneous and heterogeneous execution environments, with a series of tests nested with each other. All four hypervisors are vulnerable to physical kernel isolation, as unprivileged users can gain root access and launch guest-to-guest and host-to-guest attacks. Among the two, guest-to-guest attacks were found to be more common than host-to-guest attacks, indicating that virtual machine isolation is weaker than the underlying host. Type 1 hypervisors have a lower rate of host-to-guest attacks than guest to-guest attacks, implying that XenServer and Proxmox VE provide better isolation than KVM and OVB due to the near-native speed, security, and efficiency of their virtual machines. All four hypervisors were found to be vulnerable to buffer overflow exploits and error-triggering sensitive information leaks, which were primarily caused by adopter default misconfigurations in the deployment process rather than software design flaws. This implies that greater efforts are required by open-source adopters when shifting from physical to virtual computing.

Downloads

Download data is not yet available.

Additional Files

Published

2024-08-31

How to Cite

Ally, S. (2024). Assessment of Web Security Vulnerabilities for Common Open Source Virtualization Software . Tanzania Journal of Engineering and Technology, 43(2), 92-107. https://doi.org/10.52339/tjet.v43i2.925
Abstract viewed = 35 times