WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: Fw: [Xen-devel] Xen on /. again


xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx wrote on 01/20/2005 07:48:58 PM:

> Mark Williamson wrote:
> >>Also, I suppose you will wish to prevent covert channels between
> >>domains, e.g. domains communicating using various timing attacks (I move
> >>the disk head to the other end of the disk if I wish to tell you
> >>something), or by allocating/freeing certains parts of memory.
> >>
> >>How much will you need to dumb down the VMs view of what is going on in
> >>the machine to achieve this (not expose real time information, not
> >>expose real page tables), and how much of a VMM will there be left when
> >>you are done?
> >
> > Well domains are not aware of each other's memory usage, so I wouldn't have
> > thought that allocation / exposing real page tables would matter.  (Except
> > dom0 can of course see everything if it wants).
>
> Information about other domains' memory usage is leaked via the
> hardware->physical mapping.

There might be a problem of object-reuse and isolation. If memory isn't cleared before
it is given to another partition, then this is an error. If disk space isn't cleared before it is
reused by another partition, then this seems serious, too.

Question:
a) Does the balloon driver clean pages before releasing it to other partitions? (I guess not)
b) Does the page-swap thas happens when a packet is received clear the pages? (I guess not)
c) If a) or b) use un-cleaned pages: did anybody try to sniff data (passwords, keys) from another
     non-cooperating partitions out of re-used pages?

> > Timing related attacks are somewhat trickier to eliminate covert
> channels in,
> > although some randomisation can limit the bandwidth.
>
> Eliminating covert channels is completely infeasible. I don't see any
> value in aiming for this. It's not a useful security property in most
> circumstances.
> --
> David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>

To eliminate ALL covert channels might not be in our interest, but to ignore all of
them seems unnatural as well.

Certainly, covert channels are a way to spend many discussions.

Reiner