[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] TLS on Xen write-up

On 21 January 2015 at 11:38, David Scott <scott.dj@xxxxxxxxx> wrote:
> On Wed, Jan 21, 2015 at 11:07 AM, Thomas Leonard <talex5@xxxxxxxxx> wrote:
>> I've now got my file queue REST service working with TLS on
>> Mirage/Xen, and I've put up my notes on the process here:
>>   http://roscidus.com/blog/blog/2015/01/21/securing-the-unikernel/
>> Let me know if you spot any flaws in the scheme! It would be good to
>> have some of our security guys check I'm doing sane things.
> Very interesting post!
> Regarding checking that your components aren't 'accidentally' accessing the
> raw block device: I'm sure you're right that linking the unikernel for Unix
> would smoke out any references to the raw Xen blkfront. It might get a bit
> harder in future when blkfront itself has been functorised and can be linked
> anywhere, but perhaps this is where a bit of dead code analysis comes in --
> we already want to remove unused functions to shrink binary size but perhaps
> we could check that certain functions/modules/functors have been removed to
> prove a security property?

I don't think it's a problem if Xen blkfront is linked in, as long as
it can't be used to connect to an actual disk without further
authority being used. From a capability point of view, the "connect"
function is the problem here, because it turns a string (which
anything can create from nothing) into access to a disk.

The ambient authority it uses looks like Xs, Eventchn and Gntshr.
These modules all access the outside world without taking inputs
giving them such access, so ideally they would be flagged as "unsafe".
But a functorised version of blkfront that took them as arguments
would be fine.

Dr Thomas Leonard        http://0install.net/
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDA  BD8E 0713 3F96 CA74 D8BA

MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.