[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xense-devel] Re: [Xen-devel] ACM ternary ops?


  • To: Reiner Sailer <sailer@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
  • From: Pat Huntington <pat_huntington@xxxxxxxxx>
  • Date: Wed, 7 Jun 2006 10:25:47 -0700 (PDT)
  • Delivery-date: Wed, 07 Jun 2006 10:25:59 -0700
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=W90fqpBxlAMTXYFdsoTbdBh/MGDu8bu2imRp5t3r+bHNSykFL6p6eJ2FqorUOYQs7ZDlTjFaD3AEOoq3YdSzgnNpajlvxr92KJu/NHlasoh+8rHtne75Ic7ee7OE+diI//Jf6LuMPUDyJex3VAZXzYUPrRFXjutY2cQuP81MrmI= ;
  • List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>

What if you assign a pci NIC to the VM directly, then
the VM has full control over the device without any
dom0 backend, wouldn't that bypass the ACM checks in
netback?

--- Reiner Sailer <sailer@xxxxxxxxxx> wrote:

> > ------------------------------
> > 
> > Message: 4
> > Date: Tue, 30 May 2006 08:52:48 -0400
> > From: Michael LeMay <lemaymd@xxxxxxxxxxx>
> > Subject: [Xen-devel] ACM ternary ops?
> > To: xen-devel@xxxxxxxxxxxxxxxxxxx
> > Message-ID: <447C4020.4020008@xxxxxxxxxxx>
> > Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> > 
> > Hello all,
> > 
> > I am interested in adding support for user-defined
> mandatory network 
> > access control policies to the existing ACM policy
> framework.  The most 
> > logical way to do this would be to add more hooks
> to handle networking 
> > and then define another policy module, like
> chinese wall and type 
> > enforcement.  However, it doesn't feel right to
> add a "ternary_ops" 
> > structure that is invoked after "secondary_ops". 
> Is there any 
> > reasonable justification for not including a link
> in each ops structure 
> > that points to the next policy module in the
> chain?  Essentially, I'd 
> > like to convert the current n-pointer structure to
> the following 
> > linked-list structure:
> > 
> > acm_primary_ops -> acm_secondary_ops ->
> acm_ternary_ops -> ... -> NULL
> > 
> Hi Michael,
> 
> to be able to answer more (than I do below) to your
> point, I need to know 
> what "user-defined" policy do you aim to enforce? Is
> it a finer-grained 
> operating system policy (based on OS structures,
> such as IP address or 
> similar things etc.)?
> 
> If it is an operating system policy, then the policy
> should be 
> implemented, decided, enforced, and managed in the
> operating system (e.g., 
> IP tables, SELinux,...) and probably not in the
> hypervisor. The major 
> focus of the ACM hypervisor security module is to
> keep the hypervisor code 
> as small as possible and robust, and the hypervisor
> security guarantees 
> easy to understand. --> only integrate what needs to
> be there. Higher 
> layer security can and should be handled in the
> higher layers (OS, 
> Middleware, Apps.).
> 
> Regarding hypervisor ACM network enforcement: We are
> currently integrating 
> network packet policy enforcement into the Dom0
> netback interface to 
> control local network traffic (enforcing the simple
> type-enforcement 
> policy based on acm labels of sending/receiving
> domain). In this case, we 
> don't need new policies but integrate the existing
> acm_getdecision 
> hypervisor call into the netback code to decide if a
> packet is passed or 
> discarded between virtual network interfaces. This
> solutions appears to be 
> a good fit for local traffic because the virtual
> network resource is part 
> of the hypervisor environment and because the
> network policy is based on 
> hypervisor structures: domains (not IP...). Other
> enforcement is be needed 
> to guard external packets and such controls (at
> least our prototypes) use 
> OS-level security, such as SELinux.
> 
> >Is there any 
> > reasonable justification for not including a link
> in each ops structure 
> > that points to the next policy module in the
> chain? 
> 
> Every policy layer operating on the same hooks might
> keep internal state 
> information, which must be rolled back if an access
> is denied by a policy 
> component called "later" for the same hook. The
> chinese wall and the 
> simple type enforcement policy components were
> chosen to build a 
> hypervisor policy because they complete each other
> (one controls which 
> domains can start on a system, the other controls
> how started domains can 
> share information/communicate) and because they
> offer a good abstraction 
> (workload = Doms + resources) based on which
> security guarantees are 
> understood.
> 
> Running more than two policy components at the same
> time would require to 
> show that you really need all these policies active
> at the same time. 
> Otherwise, it seems more appropriate to define a new
> hypervisor policy 
> that can be configured instead of the existing ones
> (assuming this new 
> policy belongs into the hypervisor layer).
> 
> Greetings
> Reiner>
_______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.