WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xense-devel] Re: [Xen-devel] ACM ternary ops?

from [Pat Huntington] [Permanent Link][Original]
To: Reiner Sailer <sailer@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xense-devel] Re: [Xen-devel] ACM ternary ops?
From: Pat Huntington <pat_huntington@xxxxxxxxx>
Date: Wed, 7 Jun 2006 10:25:47 -0700 (PDT)
Delivery-date: Wed, 07 Jun 2006 10:25:59 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=W90fqpBxlAMTXYFdsoTbdBh/MGDu8bu2imRp5t3r+bHNSykFL6p6eJ2FqorUOYQs7ZDlTjFaD3AEOoq3YdSzgnNpajlvxr92KJu/NHlasoh+8rHtne75Ic7ee7OE+diI//Jf6LuMPUDyJex3VAZXzYUPrRFXjutY2cQuP81MrmI= ;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <OFE428EA49.08F7AD2E-ON8525717E.005EA5F1-8525717E.00632F87@xxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx 
What if you assign a pci NIC to the VM directly, then
the VM has full control over the device without any
dom0 backend, wouldn't that bypass the ACM checks in
netback?

--- Reiner Sailer <sailer@xxxxxxxxxx> wrote:

> > ------------------------------
> > 
> > Message: 4
> > Date: Tue, 30 May 2006 08:52:48 -0400
> > From: Michael LeMay <lemaymd@xxxxxxxxxxx>
> > Subject: [Xen-devel] ACM ternary ops?
> > To: xen-devel@xxxxxxxxxxxxxxxxxxx
> > Message-ID: <447C4020.4020008@xxxxxxxxxxx>
> > Content-Type: text/plain; charset=ISO-8859-1;
> format=flowed
> > 
> > Hello all,
> > 
> > I am interested in adding support for user-defined
> mandatory network 
> > access control policies to the existing ACM policy
> framework.  The most 
> > logical way to do this would be to add more hooks
> to handle networking 
> > and then define another policy module, like
> chinese wall and type 
> > enforcement.  However, it doesn't feel right to
> add a "ternary_ops" 
> > structure that is invoked after "secondary_ops". 
> Is there any 
> > reasonable justification for not including a link
> in each ops structure 
> > that points to the next policy module in the
> chain?  Essentially, I'd 
> > like to convert the current n-pointer structure to
> the following 
> > linked-list structure:
> > 
> > acm_primary_ops -> acm_secondary_ops ->
> acm_ternary_ops -> ... -> NULL
> > 
> Hi Michael,
> 
> to be able to answer more (than I do below) to your
> point, I need to know 
> what "user-defined" policy do you aim to enforce? Is
> it a finer-grained 
> operating system policy (based on OS structures,
> such as IP address or 
> similar things etc.)?
> 
> If it is an operating system policy, then the policy
> should be 
> implemented, decided, enforced, and managed in the
> operating system (e.g., 
> IP tables, SELinux,...) and probably not in the
> hypervisor. The major 
> focus of the ACM hypervisor security module is to
> keep the hypervisor code 
> as small as possible and robust, and the hypervisor
> security guarantees 
> easy to understand. --> only integrate what needs to
> be there. Higher 
> layer security can and should be handled in the
> higher layers (OS, 
> Middleware, Apps.).
> 
> Regarding hypervisor ACM network enforcement: We are
> currently integrating 
> network packet policy enforcement into the Dom0
> netback interface to 
> control local network traffic (enforcing the simple
> type-enforcement 
> policy based on acm labels of sending/receiving
> domain). In this case, we 
> don't need new policies but integrate the existing
> acm_getdecision 
> hypervisor call into the netback code to decide if a
> packet is passed or 
> discarded between virtual network interfaces. This
> solutions appears to be 
> a good fit for local traffic because the virtual
> network resource is part 
> of the hypervisor environment and because the
> network policy is based on 
> hypervisor structures: domains (not IP...). Other
> enforcement is be needed 
> to guard external packets and such controls (at
> least our prototypes) use 
> OS-level security, such as SELinux.
> 
> >Is there any 
> > reasonable justification for not including a link
> in each ops structure 
> > that points to the next policy module in the
> chain? 
> 
> Every policy layer operating on the same hooks might
> keep internal state 
> information, which must be rolled back if an access
> is denied by a policy 
> component called "later" for the same hook. The
> chinese wall and the 
> simple type enforcement policy components were
> chosen to build a 
> hypervisor policy because they complete each other
> (one controls which 
> domains can start on a system, the other controls
> how started domains can 
> share information/communicate) and because they
> offer a good abstraction 
> (workload = Doms + resources) based on which
> security guarantees are 
> understood.
> 
> Running more than two policy components at the same
> time would require to 
> show that you really need all these policies active
> at the same time. 
> Otherwise, it seems more appropriate to define a new
> hypervisor policy 
> that can be configured instead of the existing ones
> (assuming this new 
> policy belongs into the hypervisor layer).
> 
> Greetings
> Reiner>
_______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xense-devel] Re: [Xen-devel] ACM ternary ops?, Pat Huntington <=
Previous by Date:  [Xen-devel] Testing status of fully virtualized guests (Intel VT) on 64bit XEN unstable, Ed Smith
Next by Date:  Re: [Xen-devel] access shared_info?, Gerd Hoffmann
Previous by Thread:  [Xen-devel] VTx enabled + xen 3.0 stable IO performance..., M S, Rajanish
Next by Thread:  [Xen-devel] [PATCH] USB support, Donald D. Dugger
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy