[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] possible packet sniffer between domains?

> In other words, bits of old packets are appearing in the pages along with 
> the new packet. 
> More interesting, the packets are ones that seem like they weren't 
> destined for my domain. 
> Is it possible, in a multiple-domain situation, for DOM N+1 to see bits of 
> packets for DOM N? Just wondering. 

Xen doesn't scrub the pages that a domain gives up when it decreases
its memory reservation. Frontend drivers are continually decreasing
their memory reservation (because it gets increased again when they
receive packets) -- so automatic scrubbing of whole pages would slay

This might be a security problem for some people -- currently the
pages that are returned to Xen could have previously be used for any
purpose (e.g., they could be pages containg contents of arbitrary
files, or arbitrary VM pages from any running application).

A simple way to improve security would be for the frontend driver to
allocate 'rx buffers' out of a dedicated slab cache. The constructor
for the cache would zero out pages when they enter the cache. This
would improve security because the /only/ thing that you may end up
giving back to Xen without scrubbing is the contents of network
packets. In most cases you will assume that network packets don't
contain unencrypted secrets since your network could be sniffed

Further tricks would be needed if you care about not leaking
network-packet contents to other domains. For example, I think
in-kernel IPsec will attempt to decrypt packets 'in situ'.

 -- Keir

This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.