RE: [Xen-devel] address mapping between domains

["Cihula, Joseph" <joseph.cihula@xxxxxxxxx>]

On Tuesday, March 08, Rik van Riel wrote:

> On Tue, 8 Mar 2005, Ian Pratt wrote:
> 
>> At the expense of protection, yes.
> 
> Protection against mistakes, which can be mitigated by having the
> full physical memory map at a different address from where the
> kernel usually accesses its memory.
> 
> I suspect we won't have to try protecting against a malicious
> domain 0 ;)

While domain 0 may not start out being malicious, all it takes is one
remotely exploitable buffer overflow to make it so.

>> With sane DMA-capable hardware the driver domain never needs to
>> actually map the page into its address space anyhow. However, the
>> grant table stuff will still be required to enable us to configure
>> the IO MMU appropriately to allow the DMA (we expect to see such h/w
>> support become commonplace).
> 
> True for some kinds of IO.  Network IO needs sorting through
> packets, so no direct DMA will be done.

But if we generalize this to every I/O domain that owns a DMA device and
provides access to it to other domains (for whatever reason) then it is
easy to see how protection quickly deteriorates.  And if we don't
generalize it then we should ask why domain 0 should be special in this
regard.

Perhaps a better way to tackle this is to understand what you feel the
issues with grant tables and selective mappings are.

Joseph Cihula
(Linux) Software Security Architect
Intel Corp.

*** These opinions are not necessarily those of my employer ***


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel