Xen project Mailing List

Re: [MirageOS-devel] TLS on Xen write-up

From: David Scott <scott.dj@xxxxxxxxx>

Date: Wed, 21 Jan 2015 11:38:39 +0000

Cc: "mirageos-devel@xxxxxxxxxxxxxxxxxxxx" <mirageos-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 21 Jan 2015 11:38:46 +0000

List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

On Wed, Jan 21, 2015 at 11:07 AM, Thomas Leonard <talex5@xxxxxxxxx> wrote:

I've now got my file queue REST service working with TLS on
Mirage/Xen, and I've put up my notes on the process here:

Â http://roscidus.com/blog/blog/2015/01/21/securing-the-unikernel/

Let me know if you spot any flaws in the scheme! It would be good to
have some of our security guys check I'm doing sane things.

Very interesting post!

Regarding checking that your components aren't 'accidentally' accessing the raw block device: I'm sure you're right that linking the unikernel for Unix would smoke out any references to the raw Xen blkfront. It might get a bit harder in future when blkfront itself has been functorised and can be linked anywhere, but perhaps this is where a bit of dead code analysis comes in -- we already want to remove unused functions to shrink binary size but perhaps we could check that certain functions/modules/functors have been removed to prove a security property?

Cheers,

Dave

I think it would be useful to provide some standard advice to people
on providing secure services, once we've figured it out ourselves...Â

--
Dr Thomas LeonardÂ Â Â Â http://0install.net/
GPG: 9242 9807 C985 3C07 44A6Â 8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDAÂ BD8E 0713 3F96 CA74 D8BA

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

Dave Scott

_______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel