[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability



On Wed, Jan 4, 2017 at 1:16 PM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>> On 04.01.17 at 13:36, <george.dunlap@xxxxxxxxxx> wrote:
>> 4. The security team will only issue an advisory if there is a known
>> combination of software in which the vulnerability can be exploited.
>>
>> In most cases, the software which contains the bug is also the target
>> of the attack: that is, a bug in Xen allows an unprivileged user to
>> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
>> privileges to that of the QEMU process.  In these cases "using Xen" or
>> "using QEMU" imples "being vulnerable".
>>
>> But this is not always so: for instance, a bug in the Xen instruction
>> emulator might allow a guest user to attack the guest kernel, *if* the
>> guest kernel behaves in a certain way, but not if it behaves in other
>> ways.  In such a case, a bug will only be considered a vulnerability
>> if there are known operating systems on which the attack can be
>> executed.  If no operating system can be found which allows such an
>> attack, no advisory will be issued.
>
> Both positively identifying an OS and proving a particular OS is
> unaffected will be kind of hard for closed source OSes. Hence I
> think ...
>
>> If a bug requires a vulnerable operating system to be exploitable, the
>> Xen Security Team will pro-actively investigate the vulnerability of
>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>> and NetBSD.  The security team may also test or otherwise investigate
>> the vulnerability of some proprietary operating systems.
>
> ... that for a bug to not be a vulnerability, at the very least
> Windows would need to be proven to be unaffected. If in
> doubt, an advisory should be issued.

Quite a bit about Windows' internals are understood, by people who
write drivers, by people who have access to the source code, by people
who observe Windows' behavior as a guest, and so on.  So I expect that
with the expertise of the organizations in the security team at the
moment, in practice we would have a pretty good idea whether Windows
would be vulnerable or not.  I just didn't want to make any promises,
since (as you say) we can't look at the source code ourselves.  I
think we should make a reasonable effort to ascertain whether Windows
is vulnerable; but I think we only need to be "reasonably certain"
that Windows is not vulnerable.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.