ETSI GR NFV-SEC 009 V1.2.1 (2017-01)

ETSI GR NFV-SEC 009 V1.2.1 (2017-01)






GROUP REPORT
Network Functions Virtualisation (NFV);
NFV Security;
Report on use cases and technical approaches
for multi-layer host administration
Disclaimer
The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry
Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)



Reference
RGR/NFV-SEC009ed121
Keywords
administration, regulation, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2017.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Abbreviations . 7
4 Use cases for multi-layer administration . 9
4.0 Use cases - introduction . 9
4.1 Multi-tenant hosting . 9
4.2 Infrastructure as a service (IaaS) . 10
4.3 Security Sensitive Application Functions . 10
4.3.1 Introduction. 10
4.3.2 Applicability of security requirements in the context of Sensitive Application Functions . 11
4.3.3 Notes on the technologies and measures in the context of Sensitive Application Functions . 12
4.4 Security Network Monitoring & Control Functions . 12
4.4.1 Introduction. 12
4.4.2 Applicability of security requirements in the context of Network Monitoring & Control Functions . 13
4.4.3 Notes on the technologies and measures in the context of Network Monitoring & Control Functions . 14
4.5 Lawful Interception . 14
4.5.1 Introduction and baseline references. 14
4.5.2 Applicability of security requirements in the context of Lawful Interception . 15
4.5.3 Notes on the technologies and measures in the context of Lawful Interception . 16
4.6 Retained Data . 16
4.6.1 Introduction and baseline references. 16
4.6.2 Applicability of security requirements in the context of RD Storage and Query . 17
4.6.3 Notes on the technologies and measures in the context of RD Storage and Query . 18
4.7 Personally Identifiable Information protection . 18
4.7.1 Introduction. 18
4.7.2 Applicability of security requirements in the context of PII protection . 18
5 Security requirements . 19
5.0 Void . 19
5.0.1 Overview . 19
5.0.2 Prevention versus remediation . 20
5.0.3 Channels for assertions by the hosting service . 20
5.0.4 The value of assertions . 21
5.0.5 Use cases to requirements mapping . 21
5.1 Requirements - hosting service . 22
5.1.1 Capability assertion and attestation at boot-time . 22
5.1.2 Capability assertion and attestation at run-time . 22
5.1.3 Assert secure provision of hosted application . 23
5.1.4 Assert own system integrity at boot . 23
5.1.5 Assert continued integrity of own system at run-time . 23
5.1.6 Location assertion . 24
5.2 Requirements - hosted application . 24
5.2.1 Confidentiality of data . 24
5.2.2 Confidentiality of data-related metadata . 24
5.2.3 Confidentiality of processes . 24
5.2.4 Confidentiality of process-related metadata. 24
5.2.5 Concealment of resource usage . 24
5.2.6 Secure communications . 25
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
5.2.7 Secure storage . 25
5.2.8 Secure clean-up . 26
5.2.9 Secure routing/switching . 26
5.2.10 Assurance of compliance by hosting service . 26
5.2.11 Availability of entropy source . 26
5.3 Requirements - other components . 27
5.3.0 Introduction. 27
5.3.1 Secure routing/switching . 27
5.3.2 Workload placement policy and operation security . 27
5.3.3 Availability of an attestation authority. 28
6 Available technologies and measures . 28
6.0 Introduction . 28
6.1 Memory inspection . 28
6.1.0 Introduction. 28
6.1.1 Memory inspection as an attack vector . 29
6.1.2 Memory inspection as a security enabler . 29
6.2 Secure logging . 29
6.3 OS-level access control . 30
6.4 Post-incident analysis . 30
6.5 Physical controls and alarms . 30
6.6 Personnel controls and checks . 31
6.7 Logical authentication controls . 31
6.8 Read-only partitions . 32
6.9 Write-only partitions . 32
6.10 Policies for workload placement . 32
6.11 Communications Security . 33
6.12 Measured boot . 33
6.13 Secured boot . 33
6.14 Concealed resource usage. 34
6.15 Attestation . 34
6.16 Hardware-mediated execution enclaves . 34
6.17 Trusted Platform Module (TPM) . 35
6.17.0 Introduction. 35
6.17.1 Shared TPM . 35
6.17.2 Virtual TPM . 36
6.18 Self-encrypting drives/storage . 36
6.19 Direct Memory Access to hardware resources . 37
6.20 Hardware Security Modules . 37
6.21 Software integrity protection and verification . 37
7 Technical approaches to multi-layer administration . 38
7.0 Introduction . 38
7.1 Approaches to address specific requirements . 38
7.2 Generic approaches . 39
7.2.0 Basic comparison . 39
7.2.1 Single, restricted hosts . 40
7.2.2 Pooled, restricted hosts . 42
7.2.2.0 General case . 42
7.2.2.1 Type 1 - no resource concealment . 43
7.2.2.2 Type 2 - resource concealment . 44
7.2.3 Pooled, unrestricted hosts . 47
8 Roadmap to secure-execution hosts . 49
8.0 Applicability of secure-execution hosts . 49
8.1 Moving to single, restricted hosts . 49
8.2 Moving to pooled, restricted hosts . 50
8.3 Moving to pooled, unrestricted hosts . 50
History . 51


ETSI

---------------------- Page: 4 ----------------------
5 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The Security Problem Statement, ETSI GS NFV-SEC 001 [i.1] identifies an issue with multi-layer administration for
NFV. Multi-layer administration seeks to provide methods, capabilities, procedures and assurances that safeguard
Virtual Machines or Containers running on a virtualisation host from interference. The specific problem is that any user
or process with root access to the hosting service can normally view and change the memory and processes of any
hosted application. This is due to the fact that in the default administrative configuration for the majority of host-based
virtualisation systems - whether using hypervisors or Containers - any process or administrator operating at the "base"
level has access to the memory of all applications - including VMs and Containers - running on that host. The term
inspection is often used to refer to the ability for processes to directly interact with system memory. Further detail is
provided in clause 6.1.1.
Although this configuration is generally acceptable when the hosted applications and the hosting service operate in the
same trust domain, or when the hosted applications are in the same trust context and a subordinate trust domain to the
hosting service, there are a number of use cases where the trust relationship from the hosted application to the hosting
service does not conform to this model. In these cases, the hosted application may wish to protect a set of its resources
from the hosting service.
Note that there are also attacks in the opposite direction: from the hosted application against the hosting service. While
serious, these are well understood issues and most hosting services already track vulnerabilities in this context and
provide defensive measures against these types of attacks. Another type of attack is from one hosted application against
another hosted application on the same hosting service. Neither of these "top-down" attacks are considered explicitly in
the present document, however, some of the methods and techniques presented here will reduce the incidence of such
attacks (e.g. hardware mediated secure enclaves). The focus of the present document, then, is on securing hosted
applications against attacks by the hosting service, as well as limiting undesired visibility.
Note that multi-layer administration in the context of NFV should not be confused with the similar term "Multi-Layer
Security" (MLS), though certain concepts relevant to MLS may be relevant or referenced in the present document.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
1 Scope
The present document addresses multi-layer administration use cases and technical approaches, an issue identified in
the Security Problem Statement, ETSI GS NFV-SEC 001 [i.1]. Multi-layer administration seeks to provide methods,
capabilities, procedures and assurances - of various strengths based on requirements and available technologies and
techniques - that safeguard Virtual Machines or Containers running on a virtualisation host ("hosted applications") -
from interference (of various types) by the host system or platform ("hosting service").
The scope of the present document is generally the system comprising the hosting service, associated hardware
(including TPM, GPU, etc.), software and configuration, and the hosted application. Some requirements and measures
outside this context are also considered, but not necessarily in equal depth.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI GS NFV-SEC 001: "Network Functions Virtualisation (NFV); NFV Security; Problem
Statement".
[i.2] ETSI GS NFV-SEC 003: "Network Functions Virtualisation (NFV); NFV Security; Security and
Trust Guidance".
[i.3] ETSI TR 103 331: "CYBER; Structured threat information sharing".
[i.4] ETSI TS 102 232: "Lawful Interception (LI); Handover Interface and Service-Specific Details
(SSD) for IP delivery".
[i.5] ETSI TS 101 331: "Lawful Interception (LI); Requirements of Law Enforcement Agencies".
[i.6] ETSI TS 102 656: "Lawful Interception (LI); Retained Data; Requirements of Law Enforcement
Agencies for handling Retained Data".
[i.7] ETSI TS 102 657: "Lawful Interception (LI); Retained data handling; Handover interface for the
request and delivery of retained data".
[i.8] ETSI DGS/NFV-SEC007: "Network Function Virtualisation (NFV); Trust; Report on Attestation
Technologies and Practices for Secure Deployments".
[i.9] NIST Special Publication 800-122: "Guide to Protecting the Confidentiality of Personally
Identifiable Information (PII)".
NOTE: Available at https://doi.org/10.6028/NIST.SP.800-122.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
[i.10] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
NOTE: Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML.
[i.11] TCG PC: "Client Specific Implementation Specification for Conventional BIOS - Specification
Version 1.21 Errata".
[i.12] ETSI GS NFV-SEC 004: "Network Functions Virtualisation (NFV); NFV Security; Privacy and
Regulation; Report on Lawful Interception Implications".
[i.13] Forensics Whitepapers.
NOTE: https://digital-forensics.sans.org/community/whitepapers.
[i.14] TCG: "Trusted Platform Module Library Specification, Family 2.0".
NOTE: http://www.trustedcomputinggroup.org/resources/tpm_library_specification.
[i.15] TCG: "TSS TAB and Resource Manager Specification".
NOTE: http://www.trustedcomputinggroup.org/resources/tss_tab_and_resource_manager.
[i.16] NIST FIPS 140-2: "Security Requirements for Cryptographic Modules".
NOTE: http://csrc.nist.gov/groups/STM/cmvp/standards.html.
[i.17] TCG: "Virtualized Trusted Platform Architecture Specification".
NOTE:  http://www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification.
[i.18] ETSI DGS/NFV-SEC010: "Network Functions Virtualisation (NFV); NFV Security; Report on
Retained Data problem statement and requirements".
[i.19] ETSI GS NFV 001: "Network Functions Virtualisation (NFV); Use Cases".
3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication, Authorisation & Auditing
ADMF Administrative Function (for Lawful Interception)
API Application Programming Interface
AUC AUthentication Centre
BIOS Basic Input/Output System
BMSC Broadcast-Multicast Service Centre
BRAS Broadband Remote Access Server
CSCF Call Session Control Function
CIA Confidentiality, Integrity and Availability
CPU Central Processing Unit
CRTM Core Root of Trust for Measurement
CS Circuit Switched
CSCF Call Session Control Function
CSP Cloud Service Provider
DMA Direct Memory Access
DSLAM Digital Subscriber Line Access Multiplexer
EMS Element Management System
FIPS Federal Information Processing Standards
GGSN Gateway GPRS support node
GMSC Gateway Mobile Switching Centre
GPRS General Packet Radio Service
GPU Graphics Processing Unit
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GR NFV-SEC 009 V1.2.1 (2017-01)
GPU Graphics Processing Unit
GW Gateway
HLR Home Location Register
HSM Hardware Security Module
HSS Home Subscriber Server
HW Hardware
I/O Input/Output
IaaS Infrastructure as a Service
KVM KVM hypervisor software
LBA Logical Block Array(s)
LEA Law Enforcement Agency
LI Lawful Interception
LTE Long Term Evolution
MAC Modify, Access, Create
MFRP Multimedia Resource Function Processor
MLS Multi-Layer Security
...