WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Re: malicious paravirtualized guests: security and isola

To: "Luke S Crawford" <lsc@xxxxxxxxx>
Subject: Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation
From: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx>
Date: Wed, 3 Dec 2008 17:04:07 +0300
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 03 Dec 2008 06:04:52 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=5m6lbHia5LgJ8Fh4hE6I+G86TR/20thkl7IsBgqeCcI=; b=q7KgGiFw7qOxaYDAfg54bZRzfWlRS9bngsFp82u+qMqW+vvJF3fg6FyGrAGlTGAi2G 9pVqpxyiKcHZtI24alPjefxiVGN4rVeFtoxEeuqSTGq+1WjxyhXhzo9vVler68KKTALv Cheo+PJGEO2g7yG3Fo+xeHLwAQn3QuipJ5+do=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=FE4l+1Xz26nUAmL557Uux394c+uaNB/+7Qv/umWh/fB1O8HKnzLWyJjkmFoE8ft9Lb wG1XtQctXwnmXT9dHwDV/eE087XeMA4ymStUbdhHLNFiyTQugo+wFoCKIEPD5yIN9DVH xSa3THySNhijDRVeKrt3r40b2Nc0/OKwbtEBw=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <m3hc5u7zg1.fsf@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <e4a2b0250811110916nb0555ddq9156e0b607dfd8b2@xxxxxxxxxxxxxx> <91094279.208821226433579786.JavaMail.root@xxxxxxxxxxxxxxxxx> <e4a2b0250811141039q4f67cf05y66c185cba9f98ed1@xxxxxxxxxxxxxx> <m3hc5u7zg1.fsf@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Thu, Nov 27, 2008 at 4:03 AM, Luke S Crawford <lsc@xxxxxxxxx> wrote:
"Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx> writes:
> Sure. We are not talking about sharing the kernel between dom0 and domU.
> domUs are going to have completely different kernels anyways. The question
> is, if I have to allow custom modules in domUs (because my users cannot live
> without them), does it make sense to disallow custom kernels, i.e. whether
> disallowing custom kernels is going to buy me much?

First, I'm not really sure how you would disallow custom kernels, without
giving users a box with a castrated root.

By disallowing custom kernels I mean that dom0 can supply trusted (for some value of "trusted") kernels rather than invoke pygrub.
 
If you have root on a
regular linux box, there are several mechanisms for modifying the running
kernel without rebooting.

Can you please name some of these mechanisms?
 
A data point:  I've been allowing custom kernels from just about anyone
on the net willing to give me $5 since 2005, and I haven't had anyone break
out from the DomU to the Dom0.

I am entirely paravirtualized, though, and from what I understand, HVM has
a much larger (and theoretically  more buggy) interface between Dom0 and DomU.

I have had problems where MAC address conflicts took things down,  (lock
those MACs down and firewall them!)

Oh, the weakest part of my system, in my opinion?  PyGrub.  (that, or my
homemade scripts that give DomU owners access to 'xm console domain')
Now, I don't know of any open security holes in PyGrub, but I know there
were some in the past.

Essentially, PyGrub is a python script that reads /boot/grub/menu.lst from
the guest file system and then copies the kernel from the DomU to the Dom0.
You can imagine how risky that is.

Hmm, I can see security risks in the context of not completely trusted dom0s. In the context of untrusted domUs, guest FS processing and file copying does not sound like something too risky. Am I missing something?
 
PVGRUB, from Xen 3.3, is theoretically much more secure, as it runs
entirely within the DomU.

Agreed.

Very helpful data point.

Thank you very much,
Vsailiy
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation, Vasiliy Baranov <=