[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] protecting xen startup



Luke Kenneth Casson Leighton wrote:
perhaps i should explain: i am looking to use xen to implement
 a new level of paranoid security.
i aim to run single applications, such as firefox and
 openoffice, in their own dedicated virtual machines, a
 localised file server in one (or more if i can get GFS or OCFS2
 to work) virtual machine(s), and for the applications to each
 connect to the xen master running an x-server [nomachine isn't
 quite suitable, i may have to write my own ssh-based x-proxy].

Do you mean running xserver in domain0? You should better setup separate domain for it. But are you sure that such a setup will be usable and fast enough? I'm definitely interested in results, anyway.

 allowing a compromised guest OS to fire up another virtual
 machine, connect to the x-server and spoof "please enter your
 password" dialog boxes is therefore to be avoided!!!

If I'm not mistaken, you can start up new VMs only from domain0 or through HTTP interface, So you can easily firewall all traffic inside domain0 to local port 8000 (except for 127.0.0.1/32).

j.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.