This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-devel] Re: Xen Security meeting summary

To: <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Re: Xen Security meeting summary
From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date: Tue, 1 Mar 2005 14:42:39 -0800
Cc: "David Lie" <lie@xxxxxxxxxxxxxxxx>
Delivery-date: Wed, 02 Mar 2005 14:08:04 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
Thread-index: AcUeqG1B7MpUBaBiTpytoO0lsbtp9wABe4OQ
Thread-topic: [Xen-devel] Re: Xen Security meeting summary
David Lie wrote:
> This was an interesting discussion.  I must be missing something
> though: 
> - page mapping visibility: several people said that they felt
> uncomfortable with the global visibility of mappings from machine to
> physical address in a guest as this provides a lot of information to
> an attacker. 
> How does letting an attacker know the physical to machine mappings
> benefit an attacker?  I assume the attacker still would not have
> read/write access to pages that do not belong to the compromised
> domain.  Is there a concrete attack that people are aware of, or is
> this just a precautionary measure? 
> Thanks,
> David Lie

The concern here was that we not give an attacker any more information
than necessary for the proper functioning of the system.

As you correctly noted, each domain's pages are protected from access by
other domains (modulo a small number of shared pages).  However, should
there be a bug in this protection that did allow some unauthorized
cross-domain access, knowing the physical pages used by other domains
would increase the capabilities of an attacker (over random page

And though it wasn't the motivation for the concern, removing such
global visibility also has the benefit of limiting one type of covert

So the thinking was that if we could remove these other domain mappings
without significant changes or disruptions then it is beneficial to do

Joseph Cihula
(Linux) Software Security Architect
Intel Corp.

*** These opinions are not necessarily those of my employer ***

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>