Re: Fw: [Xen-devel] Xen on /. again

[Trent Jaeger <jaegert@xxxxxxxxxx>]

> Is there
any reason to allow communication between VMs, other than
driver access? 

In general, I agree with Mark's reply
to this.  We may want to implement a faster mechanism for communication
between 2 VMs where security requirements allow.  However, this implies
that we have a precise understanding of how the mechanisms impact security
requirements.

> Also, I
suppose you will wish to prevent covert channels between

Preventing covert channels is not a
focus of our initial work.  

Our focus initially is on providing
basic mandatory access control mechanisms where MAC policies may aim for
confinement of errors (e.g., type enforcement policy), protect VM integrity
(e.g., via Biba or Clark-Wilson), and/or prevent leakage (e.g., MLS).  We
have done work on policies of all these types for Linux.

For MLS, I expect that we will work
to identify covert storage channels (these are generally straightforward)
and identify possible solutions, so that these can be closed.  

However, some mechanisms may be useful
in some cases, but not meet security requirements in others.  I am
more familiar with the I/O descriptor ring mechanism than how the real
page tables are exposed, so I'll use this as an example.  

The I/O descriptor rings provide high
performance communication, but cannot be used to implement a low secrecy
to high secrecy communication.  Of course, the low secrecy VM can
see how the high secrecy component removes data from the ring, so this
is a covert (storage) channel.  Thus, another mechanism will have
to be used. This could be setup above Xen (d0?), but the choice must meet
the VMs security requirements.

Timing channels are much more difficult
to find/solve and much more expensive to solve, so I don't expect much
work on them for a while.  Some general techniques are known (e.g.,
fuzzy time), but these are expensive, so it is not clear when/if there
will be a demand.  

> How much
will you need to dumb down the VMs view of what is going on in

Too early to say, but hopefully we only
need to dumb down VMs where requirements dictate.

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225

Jacob Gorm Hansen <jacobg@xxxxxxx> 01/20/2005 05:11 PM

To:        Trent Jaeger/Watson/IBM@IBMUS         cc:        Xen-devel@xxxxxxxxxxxxxxxxxxxxx         Subject:        Re: Fw: [Xen-devel] Xen on /. again

Trent Jaeger wrote:

> - isolation boundaries cost more than you might
think, but computers are
> a lot faster now (10X+)
> - we need mandatory access control interface like LSM to have flexible
> control of resources (rather than dump resources to a control partition)
> - authorize access at bind time rather than at use time (no critical
> path impact)

Is there any reason to allow communication between
VMs, other than
driver access? It seems to me you can just use network communication
(potentially signed or encrypted) when you need to communicate, and that
anything else would violate the fundamental 'virtual machine' abstraction?

Also, I suppose you will wish to prevent covert channels
between
domains, e.g. domains communicating using various timing attacks (I move
the disk head to the other end of the disk if I wish to tell you
something), or by allocating/freeing certains parts of memory.

How much will you need to dumb down the VMs view of
what is going on in
the machine to achieve this (not expose real time information, not
expose real page tables), and how much of a VMM will there be left when
you are done?

best regards,
Jacob