| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Running workstation and firewall on the same hardware
> > the case of the firewall domain being compromised, however, a
> > "sufficiently clever" attacker can probably abuse the DMA engine of the
> > network card to "break out" of the domU.
>
> This is interesting. How robust is the isolation between domains and
> what are the possible risks?
If you don't give a domain any real devices, isolation there should (modulo
obscure bugs) be no way to break out. The problem is that modern DMA-capable
devices can access any memory in the system, so as soon as you give a domain
access to a PCI card, you're basically trusting it not to fool about with
your memory.
This is a limitation of modern hardware - future chipsets will likely have
better controls for restricting DMA. Also, Harry's USB virtualisation code
won't have this limitation when it's checked in (because it's easier to
restrict DMA for USB devices).
> From what you wrote it seems that allowing
> domU access to the hardware is more risky than passing all packets to
> domU through dom0.
Depends... I guess if you trust that nothing can compromise the path in dom0
from eth0 to the domU's virtual ethernet then this is actually the case. As
Goetz pointed out, though, it'd require a reasonably sophisticated attacker
to break out of a domain using DMA.
Bear in mind that if you're not running any services in the firewall domU, the
only way it could get compromised is by a network-stack attack. It still
fulfills the goal of protecting your bloatware (your words!) from the
internet...
> Say that I've got two domUs - one in DMZ and one in the Intranet,
> DMZ-domU has a dedicated NIC, intra-domU uses vif provided by dom0. What
> are the risks of breaking out of DMZ to the Intranet?
If a domain has a DMA capable card a sophisticated attacker can theoretically
own the whole machine - there is no sensible way to control DMAs on current
hardware. I should point out nobody has ever done this but it is possible.
HTH,
Mark
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home