|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] VM isolation
> Could someone please point me to a document that describes how the host > protects isolates the virtual machine to prevent accessing information > on other hosts. For example, preventing Domain 1 from looking at Domain > 2's memory space, hardware I/O, or network traffic (i.e. promiscuous > mode). For PV guests, memory space is protected by the means of Xen validating each pagetable update that's made by a guest. This prevents a guest from ever generating a mapping that points to another guest. For HVM guests, the pagetables are "shadowed" in order to virtualise the physical address space; this means that there's actually no means for a guest to specify a mapping of another guest's memory. Grant tables are used to share memory in a secure, capability-based way. IO is done through virtual interfaces, which are conventionally set up to enforce isolation. If you assign a physical PCI device to a guest then you throw away memory isolation. A guest with physical PCI access could (in the face of a sufficiently motivated attacker) own the whole host. So don't do that if it's security critical :-) Network traffic I'm not quite familiar with enough to evaluate in detail. > Essentially, I want to be able to rate the isolation between wide > open, and logically separate hardware. Hope that helps some. There are some descriptions of the workings here: http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html which may illuminate too. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |