[Xen-devel] Fwd: [PATCH 13/25] argo: implement the register op

[Roger Pau Monné <royger@xxxxxxxxxxx>]

On Wed, Jan 9, 2019 at 5:51 PM Tamas K Lengyel <tamas@xxxxxxxxxxxxx> wrote:
>
> On Wed, Jan 9, 2019 at 9:48 AM Razvan Cojocaru
> <rcojocaru@xxxxxxxxxxxxxxx> wrote:
> >
> > On 1/9/19 6:34 PM, Roger Pau Monné wrote:
> > >>>>> Maybe this is use-case is different, but how does introspection handle
> > >>>>> accesses to the shared info page or the runstate info for example?
> > >>>>>
> > >>>>> I would consider argo to be the same in this regard.
> > >>>>
> > >>>> Not exactly: The shared info page is special in any event. For
> > >>>> runstate info (and alike - there's also struct vcpu_time_info)
> > >>>> I'd question correctness of the current handling. If that's
> > >>>> wrong already, I'd prefer if the issue wasn't spread.
> > >>>
> > >>> There are also grants, which when used together with another guest on
> > >>> the same host could allow to bypass introspection AFAICT? (unless
> > >>> there's some policy applied that limit grant sharing to trusted
> > >>> domains)
> > >>>
> > >>> TBH I'm not sure how to handle hypoervisor accesses with
> > >>> introspection.  My knowledge of introspection is fairly limited, but
> > >>> it pauses the guest and sends a notification to an in guest agent. I'm
> > >>> not sure this is applicable to hypervisor writes, since it's not
> > >>> possible to pause hypervisor execution and wait for a response from a
> > >>> guest agent.
> > >>>
> > >>
> > >> Introspection applications only care about memory accesses performed
> > >> by the guest. Hypervisor accesses to monitored pages are not included
> > >> when monitoring - it is actually a feature when using the emulator in
> > >> Xen to continue guest execution because the hypervisor ignores EPT
> > >> memory permissions that trip the guest for introspection. So having
> > >> the hypervisor access memory or a grant-shared page being accessed in
> > >> another domain are not a problem for introspection.
> > >
> > > Can't then two guests running on the same host be able to completely
> > > bypass introspection? I guess you prevent this by limiting to which
> > > guests pages can be shared?
> >
> > Would these two guests be HVM guests? Introspection only works for HVM
> > guests. I'm not sure I follow your scenario though. How would these
> > guests collaborate to escape introspection via grants?
>
> If there are two domains acting maliciously in concert to bypass
> monitoring of memory writes they could achieve that with grants, yes.
> Say a write-monitored page is grant-shared to another domain, which
> then does the write on behalf of the first. I wouldn't say that's
> "completely bypassing introspection" though, there are many types of
> events that can be monitored, write-accesses are only one. I'm not
> aware of any mechanism that can be used to limit which pages can be
> shared but you can use XSM to restrict which domains can share pages
> to begin with. That's normally enough.

Yes, I assumed that would be the way to protect against such attacks,
ie: limiting to which guests pages can be shared. I think just making
sure the right access checks are placed in XSM (just like they are for
grants) should be enough.

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel