|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-users] Re: malicious paravirtualized guests: security andisolation
> Hi, > > I have a question about isolation and security guarantees Xen > provides, if any, in cases when domU guests are not completely trusted, > that is, can be malicious. Right now I am specifically interested in the > scenario where all guests are paravirtualized, but HVM case is of some > interest too. > > Say, I want to let my users run their own guests on a Xen host that > I own. Users will bring their own disk images. I don't completely trust my > users. Does the use of Xen guarantees that malicious guests will be unable > to harm other guests or the entire host in any way (for example, kill the > entire host)? It is interesting to know both what is guaranteed in theory > (that is, if Xen and dom0 work as designed) and how things go in practice. > > If I disallow users to use their kernels, that is, if I run guests > with my own kernel(s) only, will that improve the situation? How about > loadable kernel modules? If I allow Linux guests to load their custom > kernel modules, will that nullify the effect of using trusted kernels? > > I currently use Xen 3.1.4, if that matters. > When developing the Windows GPLPV drivers I crashed my Dom0 (and therefore all DomU's) on a few occasions. That was under 3.0.3, 3.0.4, and possibly some early 3.1.x versions of Xen. As crashing was the exact opposite of what I was trying to do, I didn't pursue it, but obviously it has been possible in the past to cause a crash by doing something wrong in the PV side of things. Is there a limit on the amount of data you can write to the xenstore? Overflowing some limit in xenstore could be one method of causing a crash. James _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |