[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Re: What is more secure? HVM or PV ?

> Let me rephrase my question -
> What are the attack vectors for each architecture?
> For PV it's the Paravirtualization API and hypercalls, and for HVM
> it's the VMEXIT Parsing / QEMU states and hypercalls...

Well, in principle there aren't any means of attacking ;-)  Certainly, by 
design, neither *should* allow attacks on Xen or dom0 - explicit trust isn't 

> Are there other attack vectors that may be used to hack from a domU or
> HVM into dom0? can we get an obvious conclusion about which
> architechture is more secure? PV or HVM?

For PV:
The explicit hypercall API would be one possible attack vector - exploiting 
any bugs in Xen.  The memory mapping interface could also be an attack vector 
(including both the paravirtualised and various shadowing code paths).

PV also could be attacked in principle via the frontend / backend drivers - if 
the backend driver could be compromised and made to execute arbitrary code 
(or even write abitrary code to dom0's filesystem / swapfile for later 
executation) then it would be possible to take over the whole machine.

The PV components have been in place for longer and have probably received 
more scrutiny.  The HVM components are rather complex and have received, I 
think, less eyeballing.  I'd guess (and it is really a guess) that I'd have 
more confidence in PV from a security point of view, but that's definitely 
not to say that there's anything specifically *wrong* with the HVM code, just 
that it's less mature.


Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.