[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation

  • To: "Luke S Crawford" <lsc@xxxxxxxxx>
  • From: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx>
  • Date: Wed, 3 Dec 2008 17:04:07 +0300
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 03 Dec 2008 06:04:52 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=FE4l+1Xz26nUAmL557Uux394c+uaNB/+7Qv/umWh/fB1O8HKnzLWyJjkmFoE8ft9Lb wG1XtQctXwnmXT9dHwDV/eE087XeMA4ymStUbdhHLNFiyTQugo+wFoCKIEPD5yIN9DVH xSa3THySNhijDRVeKrt3r40b2Nc0/OKwbtEBw=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On Thu, Nov 27, 2008 at 4:03 AM, Luke S Crawford <lsc@xxxxxxxxx> wrote:
"Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx> writes:
> Sure. We are not talking about sharing the kernel between dom0 and domU.
> domUs are going to have completely different kernels anyways. The question
> is, if I have to allow custom modules in domUs (because my users cannot live
> without them), does it make sense to disallow custom kernels, i.e. whether
> disallowing custom kernels is going to buy me much?

First, I'm not really sure how you would disallow custom kernels, without
giving users a box with a castrated root.

By disallowing custom kernels I mean that dom0 can supply trusted (for some value of "trusted") kernels rather than invoke pygrub.
If you have root on a
regular linux box, there are several mechanisms for modifying the running
kernel without rebooting.

Can you please name some of these mechanisms?
A data point:  I've been allowing custom kernels from just about anyone
on the net willing to give me $5 since 2005, and I haven't had anyone break
out from the DomU to the Dom0.

I am entirely paravirtualized, though, and from what I understand, HVM has
a much larger (and theoretically  more buggy) interface between Dom0 and DomU.

I have had problems where MAC address conflicts took things down,  (lock
those MACs down and firewall them!)

Oh, the weakest part of my system, in my opinion?  PyGrub.  (that, or my
homemade scripts that give DomU owners access to 'xm console domain')
Now, I don't know of any open security holes in PyGrub, but I know there
were some in the past.

Essentially, PyGrub is a python script that reads /boot/grub/menu.lst from
the guest file system and then copies the kernel from the DomU to the Dom0.
You can imagine how risky that is.

Hmm, I can see security risks in the context of not completely trusted dom0s. In the context of untrusted domUs, guest FS processing and file copying does not sound like something too risky. Am I missing something?
PVGRUB, from Xen 3.3, is theoretically much more secure, as it runs
entirely within the DomU.


Very helpful data point.

Thank you very much,
Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.