Google’s KVM hypervisor uses multiple security and isolation layers



To take on Amazon Web Services and Microsoft Azure, Google Cloud is now touted to have multiple security and isolation layers. The cloud platform uses an open source KVM (kernel-based virtual machine) hypervisor that is claimed to secure and isolate the stored data.

In a blog post, the cloud-dedicated team at Google defines various security measures that are designed to harden the security of the KVM hypervisor. The team leverages open source solutions to enhance its developments and contributes back to the KVM project with its changes.

“Google Cloud uses the open source KVM hypervisor that has been validated by scores of researchers as the foundation of Google Compute Engine and Google Container Engine and invests in additional security hardening and protection based on our research and testing experience. Then we contribute back our changes to the KVM project, benefiting the overall open source community,” Google’s technical lead manager Andy Honig and senior product manager Nelly Porter write in the post.

The first and the foremost tweak that Google uses to make its KVM robust is the number security and isolation layers. Also, there are processes to reduce the attack surface of the hypervisor by removing unused components such as a legacy mouse driver and interrupt controllers.

Google is not using Quick Emulator (QEMU) and instead developed its own user-space virtual machine monitor. This new solution simplifies host and guest architecture support matrix. Also, the monitor offers a single architecture and is relatively for small devices. This reduces the complexity of QEMU.

“Google’s virtual machine monitor is composed of individual components with a strong emphasis on simplicity and testability,” the team said.

In addition to the in-house virtual machine monitor, Google has developed boot and jobs communication through a peer-to-peer cryptographic key sharing system. The system enables communication between jobs running on the host.

Google has also defined strict internal SLAs and processes to patch KVM in case any vulnerability surfaces. Honig and Porter claim that the Cloud developers patch non-KVM vulnerabilities are “rapidly patched” and even “notify customers” about updates. Additionally, there are stringent rollout policies and processes for KVM updates.


Please enter your comment!
Please enter your name here