 Home |
Products |
Support |
Community |
News |
xen-devel
Re: Fw: [Xen-devel] Xen on /. again
| To: | david.nospam.hopwood@xxxxxxxxxxxxxxxx |
|---|---|
| Subject: | Re: Fw: [Xen-devel] Xen on /. again |
| From: | Reiner Sailer <sailer@xxxxxxxxxx> |
| Date: | Thu, 20 Jan 2005 20:09:39 -0500 |
| Cc: | xen-devel@xxxxxxxxxxxxxxxxxxxxx, xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx |
| Delivery-date: | Fri, 21 Jan 2005 01:12:38 +0000 |
| Envelope-to: | xen+James.Bulpin@xxxxxxxxxxxx |
| In-reply-to: | <41F0517A.5080503@xxxxxxxxxxxxxxxx> |
| List-archive: | <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel> |
| List-help: | <mailto:xen-devel-request@lists.sourceforge.net?subject=help> |
| List-id: | List for Xen developers <xen-devel.lists.sourceforge.net> |
| List-post: | <mailto:xen-devel@lists.sourceforge.net> |
| List-subscribe: | <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe> |
| List-unsubscribe: | <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe> |
| Sender: | xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx |
|
xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx wrote on 01/20/2005 07:48:58 PM: > Mark Williamson wrote: > >>Also, I suppose you will wish to prevent covert channels between > >>domains, e.g. domains communicating using various timing attacks (I move > >>the disk head to the other end of the disk if I wish to tell you > >>something), or by allocating/freeing certains parts of memory. > >> > >>How much will you need to dumb down the VMs view of what is going on in > >>the machine to achieve this (not expose real time information, not > >>expose real page tables), and how much of a VMM will there be left when > >>you are done? > > > > Well domains are not aware of each other's memory usage, so I wouldn't have > > thought that allocation / exposing real page tables would matter. (Except > > dom0 can of course see everything if it wants). > > Information about other domains' memory usage is leaked via the > hardware->physical mapping. There might be a problem of object-reuse and isolation. If memory isn't cleared before it is given to another partition, then this is an error. If disk space isn't cleared before it is reused by another partition, then this seems serious, too. Question: a) Does the balloon driver clean pages before releasing it to other partitions? (I guess not) b) Does the page-swap thas happens when a packet is received clear the pages? (I guess not) c) If a) or b) use un-cleaned pages: did anybody try to sniff data (passwords, keys) from another non-cooperating partitions out of re-used pages? > > Timing related attacks are somewhat trickier to eliminate covert > channels in, > > although some randomisation can limit the bandwidth. > > Eliminating covert channels is completely infeasible. I don't see any > value in aiming for this. It's not a useful security property in most > circumstances. > -- > David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx> To eliminate ALL covert channels might not be in our interest, but to ignore all of them seems unnatural as well. Certainly, covert channels are a way to spend many discussions. Reiner |
| Previous by Date: | RE: [Xen-devel] Rebooting domain0 independent of other domains, Ian Pratt |
|---|---|
| Next by Date: | Re: [Xen-devel] Rebooting domain0 independent of other domains, Matt Ayres |
| Previous by Thread: | Re: Fw: [Xen-devel] Xen on /. again, Mark Williamson |
| Next by Thread: | Re: Fw: [Xen-devel] Xen on /. again, Steven Hand |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
