WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: Fw: [Xen-devel] Xen on /. again

Mark Williamson wrote:
Information about other domains' memory usage is leaked via the
hardware->physical mapping.

OK, I was forgetting about the domain memory reservation hypercalls. It's probably reasonable just to throw away ballooning functionality where this might be a problem.

The main problem (as I see it) is going to be the network interface, whose performance depends on page-flipping. You can eliminate the security problem without hiding machine address if you copy incoming packets but that's going to hurt performance :-(

Timing related attacks are somewhat trickier to eliminate covert channels
in, although some randomisation can limit the bandwidth.

Eliminating covert channels is completely infeasible. I don't see any
value in aiming for this. It's not a useful security property in most
circumstances.

I agree it's not useful in the majority of circumstances. If it's required it can be implemented at a later date but the returns for the amount of time invested are likely to be smaller.

It almost certainly can't be implemented at a later date. Even attempting
to do so (without really succeeding) would require significant incompatible
changes to the hypervisor interface.

The idea of limiting covert channels should have been abandoned when it
became clear that it isn't feasible without severely constraining the
efficiency and functionality of an operating system. Unfortunately it is
too interesting a problem, so a lot of effort has been essentially wasted
in research into this area, without ever coming up with any way to limit
the bandwidth to a useful extent. Attackers only need a very small
bandwidth to transmit many of the things that are most useful from their
point of view (cryptographic keys, passwords, compressed answers from a
program that can look at any amount of data), so claims about limiting the
bandwidth really just give a false sense of security.

--
David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel