Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 24.01.17 at 17:33, <George.Dunlap@xxxxxxxxxx> wrote:
>> On Jan 24, 2017, at 3:08 PM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>>> On 24.01.17 at 16:01, <George.Dunlap@xxxxxxxxxx> wrote:
>>>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>>>>>> On 24.01.17 at 12:33, <ian.jackson@xxxxxxxxxxxxx> wrote:
>>>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
>>> security 
>>>>> policy about what constitutes a vulnerability"):
>>>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>>>> the vulnerability of supported Windows versions, and it may also do so
>>>>>> for some other proprietary operating systems."
>>>>> 
>>>>> I don't think we can promise to come up with a definitely conclusion
>>>>> for any proprietary system, can we ?  Answering such a question for
>>>>> Windows is not within our power because we don't have the source code.
>>>> 
>>>> Well - see George's original mail, which the above was a reply to.
>>>> He has suggested that there's enough knowledge around.
>>>> 
>>>>> The question, which the above text leaves unclear, is, what do we do
>>>>> if we aren't sure whether there are configurations of Windows which
>>>>> have the exposed behaviour.
>>>> 
>>>> I think I had given my opinion on this in an earlier mail: If in doubt,
>>>> we ought to issue an advisory.
>>> 
>>> And my response (in not so many words) was that the statement, “If in doubt 
>>> we ought to issue an advisory” is too black-and-white, and (it seems to me) 
>>> will probably always result in an advisory being issued; thus making the 
>>> whole discussion moot.  
>>> 
>>> But perhaps we’re using the word “doubt” a bit differently.  In the case of 
>>> XSA-176 and 192, for instance, would you have said that we had any doubts 
>>> about whether Windows was vulnerable?
>> 
>> For 192 - no. For 176 I wouldn't be that sure.
> 
> I guess it’s not really a fair question, as we didn’t really spend a lot of 
> time investigating Windows because we were going to issue the advisory 
> anyway.
> 
> I think under the above rule, for XSA-176, I think we would either want to 
> have an answer from someone in MS, or we’d instrument a version of Xen to 
> look for the PSE bit in L3 and L4 pagetables and run it through our 
> regression test.  If there was no evidence of any of our tested versions of 
> Windows setting the L4 PSE bit, or setting the L3 bit when 1G superpages were 
> not advertized, I would be comfortable not issuing an advisory.  
> 
> On the other hand, if we really had no idea — we had no test to perform and 
> we hadn’t been able to contact anyone from within MS, and it seemed like 
> Windows might plausibly be vulnerable, then I would agree that issuing an 
> advisory would make sense.
> 
> What do you think?

Sounds all reasonable.

> But I’m not immediately sure how to put such a guideline into words.

Same here; all I really would like to avoid is for Windows (as
presumably the most relevant closed source OS we care
virtualizing) to be completely left out of the picture here.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel