I am working on a system that requires a system provides isolation between various system components and we are looking at using Xen to do this. One of our requirements is that the code that enforces the separation is small and inspectable. At first blush, the Xen code appears to meet this, but I have a nagging concern that a mis-designed GuestOS could bypass Xen. I don't have any specific reason to believe this, but I wanted to ask if anyone can comment on whether this is possible, given the design of Xen.
So, the two questions are:
(1) Can a GuestOS ever bypass the Xen boundaries?
(2) How big (in lines of code) is the subsystem in Xen that enforces this?
Thanks in advance. Any help is greatly appreciated.
Charlie
Charlie Woloszynski
Innovative Concepts Inc.
703-893-2007 x506
charles.woloszynski@xxxxxxxxxxx
|