WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Running workstation and firewall on the same hardware

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Running workstation and firewall on the same hardware
From: Goetz Bock <bock@xxxxxxxxxxx>
Date: Tue, 9 Aug 2005 00:54:38 +0200
Delivery-date: Mon, 08 Aug 2005 22:59:46 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42F7DEC3.9030201@xxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Mail-followup-to: Goetz Bock <bock@xxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
References: <d3e62a6b0508071107440f8e71@xxxxxxxxxxxxxx> <200508081737.36596.mark.williamson@xxxxxxxxxxxx> <42F7DEC3.9030201@xxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2i
On Tue, Aug 09 '05 at 10:37, Michal Ludvig wrote:
> Mark Williamson wrote:
> 
> > the case of the firewall domain being compromised, however, a "sufficiently 
> > clever" attacker can probably abuse the DMA engine of the network card to 
> > "break out" of the domU.
> 
> This is interesting. How robust is the isolation between domains and
> what are the possible risks?
I just skimmed through my mail-backlog today, but there was one post in
the recent days that summed up to:

"A domain with access to a PCI (bus)master device can abuse this
abilities to overwrite arbitrtary memmory locations"

So, after you owned the DomU that has controll of the network card, you
have to twaeke it into loading a new driver for the network card, that
abuses the PCI busmaster capabilities to overwrite some memory of the
supervisor to breake out of the DomU.

while this is known to be easy (for complicated values of easy) to do
with a firewire device/port I don't think you have anything to fear.

If I were to face a hacket that is able to do that (remotely), she has
much lowerhanging fruits to pick on the rest of my systems ;-)

> From what you wrote it seems that allowing domU access to the hardware
> is more risky than passing all packets to domU through dom0.

Yes and no. You'd have to studdy the PCI busmaster capabilities of your
networkcard to know for sure.

moving the hardware access to one domU has the advantage that you can
reboot the "driver domain" when required. But it's more complicated to
set up. Personaly I've never tried to do that. handling all hardware
access in dom0 was fine with me.

-- 
Goetz Bock       (c) 2005 as     blacknet.de - Munich - Germany   /"\
IT Consultant  Creative Commons  secure mobile Linux everNETting  \ /
                                                                   X
 ASCII Ribbon Campaign against HTML email & microsoft attachments / \

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users