WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Re: Exploiting XEN

To: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
Subject: [Xen-users] Re: Exploiting XEN
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Thu, 15 Mar 2007 13:31:05 -0500
Cc: Artur Baruchi <mail.baruchi@xxxxxxxxx>, "Daniel P. Berrange" <berrange@xxxxxxxxxx>, Xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 15 Mar 2007 11:30:19 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <907625E08839C4409CE5768403633E0B018E1A6D@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20070313154326.GB24377@xxxxxxxxxx> <907625E08839C4409CE5768403633E0B018E1A6D@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.10 (X11/20070306)
Petersson, Mats wrote:

I guess that's a fair comment too. Dom0 is a large part of a Xen
environment, and if Dom0 is compromised, then Xen can't really do that
much to prevent the system from being crashed, subverted or other
malicious acts. But I believe Xen itself is "safe" from Dom0 being
compromised

It's not. Dom0 (or any IO domain) has direct access to DMA controllers. It can use DMA to overwrite the hypervisor's memory with arbitrary data.

It would be rather trivial for dom0 to escalate itself to ring 0 by simply locating the IDT, writing a new IDT to disk, and then doing a DMA read operation with the physical address of the IDT's.

Regards,

Anthony Liguori

 - but it's moot point, as Xen on it's own is about as useful
as a chocalte teapot.
But Xen isn't really the "culprit" in this scenario - it's the same
scenario for Linux (or whatever other OS we care to choose) without a
hypervisor.

--
Mats
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>