[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS on Xen write-up





On Wed, Jan 21, 2015 at 11:07 AM, Thomas Leonard <talex5@xxxxxxxxx> wrote:
I've now got my file queue REST service working with TLS on
Mirage/Xen, and I've put up my notes on the process here:

 http://roscidus.com/blog/blog/2015/01/21/securing-the-unikernel/

Let me know if you spot any flaws in the scheme! It would be good to
have some of our security guys check I'm doing sane things.

Very interesting post!

Regarding checking that your components aren't 'accidentally' accessing the raw block device: I'm sure you're right that linking the unikernel for Unix would smoke out any references to the raw Xen blkfront. It might get a bit harder in future when blkfront itself has been functorised and can be linked anywhere, but perhaps this is where a bit of dead code analysis comes in -- we already want to remove unused functions to shrink binary size but perhaps we could check that certain functions/modules/functors have been removed to prove a security property?

Cheers,
Dave

I think it would be useful to provide some standard advice to people
on providing secure services, once we've figured it out ourselves...Â


--
Dr Thomas Leonard    http://0install.net/
GPG: 9242 9807 C985 3C07 44A6Â 8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDAÂ BD8E 0713 3F96 CA74 D8BA

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel



--
Dave Scott
_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.