 Home |
Products |
Support |
Community |
News |
xen-devel
Re: [Xen-devel] sHype Hypervisor Security Architecture for Xen
| To: | xen-devel@xxxxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | Re: [Xen-devel] sHype Hypervisor Security Architecture for Xen |
| From: | Reiner Sailer <sailer@xxxxxxxxxx> |
| Date: | Fri, 21 Jan 2005 09:13:15 -0500 |
| Delivery-date: | Fri, 21 Jan 2005 14:16:27 +0000 |
| Envelope-to: | xen+James.Bulpin@xxxxxxxxxxxx |
| List-archive: | <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel> |
| List-help: | <mailto:xen-devel-request@lists.sourceforge.net?subject=help> |
| List-id: | List for Xen developers <xen-devel.lists.sourceforge.net> |
| List-post: | <mailto:xen-devel@lists.sourceforge.net> |
| List-subscribe: | <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe> |
| List-unsubscribe: | <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe> |
| Reply-to: | |
| Sender: | xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx |
| Sensitivity: |
|
xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx wrote on 01/20/2005 08:32:58 PM: > Mark Williamson wrote: > >>Information about other domains' memory usage is leaked via the > >>hardware->physical mapping. > > > > OK, I was forgetting about the domain memory reservation hypercalls. It's > > probably reasonable just to throw away ballooning functionality where this > > might be a problem. > > > > The main problem (as I see it) is going to be the network interface, whose > > performance depends on page-flipping. You can eliminate the > security problem > > without hiding machine address if you copy incoming packets but > that's going > > to hurt performance :-( > > > >>>Timing related attacks are somewhat trickier to eliminate covert channels > >>>in, although some randomisation can limit the bandwidth. > >> > >>Eliminating covert channels is completely infeasible. I don't see any > >>value in aiming for this. It's not a useful security property in most > >>circumstances. > > > > I agree it's not useful in the majority of circumstances. If it's > required it > > can be implemented at a later date but the returns for the amount of time > > invested are likely to be smaller. > > It almost certainly can't be implemented at a later date. Even attempting > to do so (without really succeeding) would require significant incompatible > changes to the hypervisor interface. > > The idea of limiting covert channels should have been abandoned when it > became clear that it isn't feasible without severely constraining the > efficiency and functionality of an operating system. Unfortunately it is > too interesting a problem, so a lot of effort has been essentially wasted > in research into this area, without ever coming up with any way to limit > the bandwidth to a useful extent. Attackers only need a very small > bandwidth to transmit many of the things that are most useful from their > point of view (cryptographic keys, passwords, compressed answers from a > program that can look at any amount of data), so claims about limiting the > bandwidth really just give a false sense of security. > > -- > David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx> > > Hello, it is quite understandable that many people are sceptical regarding covert channels. But as Trent mentioned, we are not currently aiming to address covert channels. They are difficult to detect, difficult to assess, and sometimes very difficult to close. Worst of all, no matter how hard you work, you're never done (at least you never know). Of course, all security-relevant properties of a system, including covert channels, are relevant to the context of the security architecture. But as others have said in this discussion, there are more important points to discuss about the security model for Xen. What we have implemented is a security architecture that integrates a reference monitor into a core hypervisor. The expected usage is to create "associated sets" of partitions, where partitions inside the same set can efficiently cooperate by using the existing inter-partition communication mechanisms. At the same time, partitions not inside the same set -- i.e., each having different security requirements -- shall be strongly isolated from each other by the hypervisor. Accordingly, the flow of information between partitions belonging to different "security domains" must be explicitly mediated to prevent leakage of information (this is an important issue from a secrecy viewpoint) or to prevent spreading of malicious code (this is an important issue from any viewpoint because integrity is a basis for secrecy as well). We are targeting the hypervisor to enforce the security policy because the extensive DOM0 seems too large to validate. In summary, we are interested in minimizing covert channels only as a consequence of the overall security architecture. Our major interest for now is to describe our baseline security architecture and then work out the details and configurations that seem reasonable to the Xen community. Kindest regards Reiner __________________________________________________________ Reiner Sailer, Research Staff Member, Secure Systems Department IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sailer@xxxxxxxxxx http://www.research.ibm.com/people/s/sailer/ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-devel] Bridging firewall?, Felipe Alfaro Solana |
|---|---|
| Next by Date: | [Xen-devel] Re: Xen Security, Nuutti Kotivuori |
| Previous by Thread: | [Xen-devel] Re: sHype Hypervisor Security Architecture for Xen, Ronald Perez |
| Next by Thread: | [Xen-devel] [PATCH] Xen bk snapshot: netfront.c should use module_init(), Rusty Russell |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
