Xen project Mailing List

Re: [Xen-users] Exploiting XEN

From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>

Date: Tue, 13 Mar 2007 16:55:27 +0000

Cc: "Petersson, Mats" <Mats.Petersson@xxxxxxx>, "Daniel P. Berrange" <berrange@xxxxxxxxxx>, Artur Baruchi <mail.baruchi@xxxxxxxxx>

Delivery-date: Tue, 13 Mar 2007 09:54:05 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

> > > The Xen hypervisor is fairly small, and thus relatively easy to > > > understand and control against vulnerabilities. Since it's living > > > "outside" the host-OS that it controls, it's potentially > > > > less vulnerable > > > > > than those hypervisors that live within the host-OS. > > > > Nice in theory, but in practice you have to include Dom0 as (at this > > time) it has effectively unrestricted access to the hardware and is > > neccessarily trusted by every DomU that cards about disk or network > > I/O. While in theory Xen may allow a tighter security model, in the > > real-world deployments of Xen there's no better security from its > > arch of hypervisor outside the Dom0 OS, vs other virt systems which > > have the hypervisor as part of the Dom0. > > I guess that's a fair comment too. Dom0 is a large part of a Xen > environment, and if Dom0 is compromised, then Xen can't really do that > much to prevent the system from being crashed, subverted or other > malicious acts. But I believe Xen itself is "safe" from Dom0 being > compromised - but it's moot point, as Xen on it's own is about as useful > as a chocalte teapot. We don't make any real effort to protect the system from a naughty dom0 at this point - there's no point whilst it's permitted to DMA over any memory it wants. With domain 0 disaggregation and IOMMU hardware we should be able to harden the system significantly with respect to what harm dom0 and driver domains can do. For a random related reference, [http://www.cs.rochester.edu/meetings/sosp2003/papers/p134-lie.pdf] describes an implementation of an untrusted operating system: the researchers goal was (with hardware support) to produce an OS that was as limited as possible WRT interfering with applications in certain ways whilst still providing essential OS services. It's an interesting read. Cheers, Mark > But Xen isn't really the "culprit" in this scenario - it's the same > scenario for Linux (or whatever other OS we care to choose) without a > hypervisor. > > -- > Mats > > > Dan. > > -- > > > > |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 > > > > 978 392 2496 -=| > > > > |=- Perl modules: http://search.cpan.org/~danberr/ > > > > -=| > > > > |=- Projects: http://freshmeat.net/~danielpb/ > > > > -=| > > > > |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF > > > > F742 7D3B 9505 -=| > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.