This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Xen Guest Memory Isolation

To: Ahmed Azab <amazab@xxxxxxxx>
Subject: Re: [Xen-devel] Xen Guest Memory Isolation
From: Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Date: Wed, 15 Apr 2009 09:34:31 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 15 Apr 2009 01:34:58 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <49E50B49.7000706@xxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <49E50B49.7000706@xxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.17 (2007-11-01)
At 23:16 +0100 on 14 Apr (1239751001), Ahmed Azab wrote:
> In para-virtualized guests. My understanding is (Please correct me if I 
> am wrong) that Xen achieves the isolation through (1) making all page 
> tables non-writable so that the guest have to ask Xen to do the update 
> through hypercalls and (2) having Xen validation each page-table update 
> to make sure domain X cannot access domain Y's memory.

Yes.  (Guests may also try to write directly to their pagetables, in
which case Xen intercepts the pagefault, emulates the instruction and
performs the implicit hypercall to change the contents).

> 1-Does Xen check that the passed value refers to a physical page that 
> really belongs to the calling domain? If yes, where is the code piece 
> that does that? If no, then what guarantees that the guest wont map a 
> page belonging to another guest?

mod_l1_entry() calls get_page_from_l1e() which calls get_page_and_type(),
which does reference counting and enforces security restrictions.

> 2-If the guest is updating a higher level page table (l2 for example) 
> then the entry point to a lower level page table. Does Xen check that 
> the new cannot be rewritten by the guest? again where is the code or 
> what is the security guarantee?

Similarly, mod_lX_entry->get_page_from_lXe->get_page_and_type

> 3-Does Xen keep track of all page tables of a certain guest or it just 
> relies on the type_info value stored in the page data structure?

It relies on the type-info; only a page with the correct type may be
used as a top-level page table.  To get that type, its contents must be
verified (including recursively checking the types of pages it points to).

> 4-How does then guarantee that upon process switching the new cr3 value 
> will point to a page table that is protected by Xen?

The pagetable types are mutually exclusive with eth "writable" type,
which a page must have before a validated write-access l1e can point to it.

> One final thing. Can I force all guests (including para-virtualized ones 
> )to use shadow page tables?

You can (and see the xc_domain_save routines for an example), but for PV
guests the shadow pagetables don't enforce these access restrictions,
since they can rely on the pagetables already being correct.



Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Principal Software Engineer, Citrix Systems (R&D) Ltd.
[Company #02300071, SL9 0DZ, UK.]

Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>