WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] possible packet sniffer between domains?

To: "Ronald G. Minnich" <rminnich@xxxxxxxx>
Subject: Re: [Xen-devel] possible packet sniffer between domains?
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Fri, 17 Sep 2004 17:13:02 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 17 Sep 2004 17:16:28 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Fri, 17 Sep 2004 09:40:38 MDT." <Pine.LNX.4.58.0409162116280.26805@xxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> In other words, bits of old packets are appearing in the pages along with 
> the new packet. 
> 
> More interesting, the packets are ones that seem like they weren't 
> destined for my domain. 
> 
> Is it possible, in a multiple-domain situation, for DOM N+1 to see bits of 
> packets for DOM N? Just wondering. 

Xen doesn't scrub the pages that a domain gives up when it decreases
its memory reservation. Frontend drivers are continually decreasing
their memory reservation (because it gets increased again when they
receive packets) -- so automatic scrubbing of whole pages would slay
performance.

This might be a security problem for some people -- currently the
pages that are returned to Xen could have previously be used for any
purpose (e.g., they could be pages containg contents of arbitrary
files, or arbitrary VM pages from any running application).

A simple way to improve security would be for the frontend driver to
allocate 'rx buffers' out of a dedicated slab cache. The constructor
for the cache would zero out pages when they enter the cache. This
would improve security because the /only/ thing that you may end up
giving back to Xen without scrubbing is the contents of network
packets. In most cases you will assume that network packets don't
contain unencrypted secrets since your network could be sniffed
anyway.

Further tricks would be needed if you care about not leaking
network-packet contents to other domains. For example, I think
in-kernel IPsec will attempt to decrypt packets 'in situ'.

 -- Keir


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>