Cybersecurity assessment and host hardening policies for virtualization technologies

In my thesis I selected and analyzed the virtualization technologies that are most widely utilized and created a set of host hardening policies for a Docker environment. The starting point was the research of the current state of the art of virtualization technologies that can were divided in three main categories, based on their implementation: type 1 hypervisors, type 2 hypervisors and OS virtualization. Based on the diffusion of the technologies in the automotive development and testing world we decided to analyze further two products, one classified as type 1 hypervisor since is the most common technology found in automotive embedded systems and one OS virtualization product that is very flexible and suitable for testing. This analysis was performed by studying the software in its technical details and core elements to obtain an accurate overview on how the virtualization mechanism is implemented. The products that were chosen were Xen Project Hypervisor and Docker representing type 1 hypervisors and OS virtualization respectively. These two software were then analyzed from the security point of view by performing a small scale risk assessment based on the 800-30 Nist document. Thanks to the assessment and publicly available technical documents a set of possible vulnerabilities were highlighted in both technologies, this led to the identification of some possible countermeasures to said vulnerabilities as general host hardening policies. Due to testing and hardware availability reasons Docker was the software chosen for practical examination and based on the general host hardening policies defined in the preceding step a set of specific host hardening rules were defined to be enforced in order to increase the security of the host system. The last step was the automatization of the verification process of said rules by developing a tool. The tool was developed in the Python language and its purpose is to create a readable report containing all the informations that can be collected from the system and present them to the user in order to highlight any possible misconfiguration or selected configuration option that could lead to security risks and at the same time to offer a possible solution to the highlighted problems.