WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: Fw: [Xen-devel] Xen on /. again

To: Jacob Gorm Hansen <jacobg@xxxxxxx>
Subject: Re: Fw: [Xen-devel] Xen on /. again
From: Trent Jaeger <jaegert@xxxxxxxxxx>
Date: Thu, 20 Jan 2005 19:19:21 -0500
Cc: Xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 21 Jan 2005 01:53:23 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <41F02C8B.5010304@xxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx

> Is there any reason to allow communication between VMs, other than
driver access?


In general, I agree with Mark's reply to this.  We may want to implement a faster mechanism for communication between 2 VMs where security requirements allow.  However, this implies that we have a precise understanding of how the mechanisms impact security requirements.

> Also, I suppose you will wish to prevent covert channels between

Preventing covert channels is not a focus of our initial work.  

Our focus initially is on providing basic mandatory access control mechanisms where MAC policies may aim for confinement of errors (e.g., type enforcement policy), protect VM integrity (e.g., via Biba or Clark-Wilson), and/or prevent leakage (e.g., MLS).  We have done work on policies of all these types for Linux.

For MLS, I expect that we will work to identify covert storage channels (these are generally straightforward) and identify possible solutions, so that these can be closed.  

However, some mechanisms may be useful in some cases, but not meet security requirements in others.  I am more familiar with the I/O descriptor ring mechanism than how the real page tables are exposed, so I'll use this as an example.  

The I/O descriptor rings provide high performance communication, but cannot be used to implement a low secrecy to high secrecy communication.  Of course, the low secrecy VM can see how the high secrecy component removes data from the ring, so this is a covert (storage) channel.  Thus, another mechanism will have to be used. This could be setup above Xen (d0?), but the choice must meet the VMs security requirements.

Timing channels are much more difficult to find/solve and much more expensive to solve, so I don't expect much work on them for a while.  Some general techniques are known (e.g., fuzzy time), but these are expensive, so it is not clear when/if there will be a demand.  

> How much will you need to dumb down the VMs view of what is going on in

Too early to say, but hopefully we only need to dumb down VMs where requirements dictate.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225



Jacob Gorm Hansen <jacobg@xxxxxxx>

01/20/2005 05:11 PM

       
        To:        Trent Jaeger/Watson/IBM@IBMUS
        cc:        Xen-devel@xxxxxxxxxxxxxxxxxxxxx
        Subject:        Re: Fw: [Xen-devel] Xen on /. again



Trent Jaeger wrote:

> - isolation boundaries cost more than you might think, but computers are
> a lot faster now (10X+)
> - we need mandatory access control interface like LSM to have flexible
> control of resources (rather than dump resources to a control partition)
> - authorize access at bind time rather than at use time (no critical
> path impact)

Is there any reason to allow communication between VMs, other than
driver access? It seems to me you can just use network communication
(potentially signed or encrypted) when you need to communicate, and that
anything else would violate the fundamental 'virtual machine' abstraction?

Also, I suppose you will wish to prevent covert channels between
domains, e.g. domains communicating using various timing attacks (I move
the disk head to the other end of the disk if I wish to tell you
something), or by allocating/freeing certains parts of memory.

How much will you need to dumb down the VMs view of what is going on in
the machine to achieve this (not expose real time information, not
expose real page tables), and how much of a VMM will there be left when
you are done?

best regards,
Jacob