[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Running workstation and firewall on the same hardware

To: Michal Ludvig <michal@xxxxxxxx>
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Tue, 9 Aug 2005 18:02:50 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 09 Aug 2005 17:01:19 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

> > the case of the firewall domain being compromised, however, a
> > "sufficiently clever" attacker can probably abuse the DMA engine of the
> > network card to "break out" of the domU.
>
> This is interesting. How robust is the isolation between domains and
> what are the possible risks?

If you don't give a domain any real devices, isolation there should (modulo 
obscure bugs) be no way to break out.  The problem is that modern DMA-capable 
devices can access any memory in the system, so as soon as you give a domain 
access to a PCI card, you're basically trusting it not to fool about with 
your memory.

This is a limitation of modern hardware - future chipsets will likely have 
better controls for restricting DMA.  Also, Harry's USB virtualisation code 
won't have this limitation when it's checked in (because it's easier to 
restrict DMA for USB devices).

> From what you wrote it seems that allowing 
> domU access to the hardware is more risky than passing all packets to
> domU through dom0.

Depends...  I guess if you trust that nothing can compromise the path in dom0 
from eth0 to the domU's virtual ethernet then this is actually the case.  As 
Goetz pointed out, though, it'd require a reasonably sophisticated attacker 
to break out of a domain using DMA.

Bear in mind that if you're not running any services in the firewall domU, the 
only way it could get compromised is by a network-stack attack.  It still 
fulfills the goal of protecting your bloatware (your words!) from the 
internet...

> Say that I've got two domUs - one in DMZ and one in the Intranet,
> DMZ-domU has a dedicated NIC, intra-domU uses vif provided by dom0. What
> are the risks of breaking out of DMZ to the Intranet?

If a domain has a DMA capable card a sophisticated attacker can theoretically 
own the whole machine - there is no sensible way to control DMAs on current 
hardware.  I should point out nobody has ever done this but it is possible.

HTH,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Running workstation and firewall on the same hardware
  - From: Michal Ludvig

References:
- [Xen-users] Running workstation and firewall on the same hardware
  - From: Morten Guldager
- Re: [Xen-users] Running workstation and firewall on the same hardware
  - From: Mark Williamson
- Re: [Xen-users] Running workstation and firewall on the same hardware
  - From: Michal Ludvig

Prev by Date: Re: [Xen-users] start a guest stop after NET: Registered protocol family 1 Starting domainU stops after NET: Registered protocol family 17 (but domainU is created)
Next by Date: Re: [Xen-users] Running workstation and firewall on the same hardware
Previous by thread: Re: [Xen-users] Running workstation and firewall on the same hardware
Next by thread: Re: [Xen-users] Running workstation and firewall on the same hardware
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.