WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Re: Module loading in unpriveledged domains

from [David Hopwood] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Re: Module loading in unpriveledged domains
From: David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 17:10:33 +0000
Delivery-date: Tue, 23 Nov 2004 17:12:16 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <87d5y47by5.fsf@xxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <E1CWMBD-0005iA-00@xxxxxxxxxxxxxxxxx> <41A2980B.8090506@xxxxxxxxxxxxxxxx> <87d5y47by5.fsf@xxxxxxxxxxxxxxxxxx>
Reply-to: david.nospam.hopwood@xxxxxxxxxxxxxxxx
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (Windows/20041103) 
Nuutti Kotivuori wrote:

David Hopwood wrote:


True, unless there are bugs that cause different behaviour depending
on whether a module is compiled-in or loaded (such as
<http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
Nevertheless enabling loadable modules may allow a greater
proportion of script kiddies to be capable of exploiting any given
bug.

This is all the same as in standard Linux, so perhaps I should have
said: enable loadable modules iff you would do so in standard Linux.


That's a bit of an odd comment I think.

Enabling module loading has security implications for the actual Linux
system being exploited - eg. either the physical machine in a
standalone case, or a Xen guest virtual machine.

But the original question was not about the security of that machine,
but about the possibility of escalation of that exploit into other
Xen guests or the domain 0 on the same physical machine.


If there is no exploit, then there is no possibility of escalation.
On a physical machine running Linux on Xen where an attacker only has
direct access to Linux user-mode processes, the attacker has two layers
that must both be exploited: Linux and Xen. Obviously, bugs and
misconfigured settings in both Linux and Xen are therefore relevant
to the security of the physical machine.

--
David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] double or triple access to ext2, ext3 or other partitions, Luke Kenneth Casson Leighton
Next by Date:  Re: [Xen-devel] double or triple access to ext2, ext3 or other partitions, Mark Williamson
Previous by Thread:  Re: [Xen-devel] Re: Module loading in unpriveledged domains, Brian Wolfe
Next by Thread:  [Xen-devel] Re: Module loading in unpriveledged domains, Scott Mohekey
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy