This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-devel] Re: Xen Security meeting summary

To: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-devel] Re: Xen Security meeting summary
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Wed, 2 Mar 2005 18:12:37 -0000
Cc: "David Lie" <lie@xxxxxxxxxxxxxxxx>, <ian.pratt@xxxxxxxxxxxx>
Delivery-date: Wed, 02 Mar 2005 18:13:21 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
Thread-index: AcUeqG1B7MpUBaBiTpytoO0lsbtp9wABe4OQACjwt7A=
Thread-topic: [Xen-devel] Re: Xen Security meeting summary
> > How does letting an attacker know the physical to machine mappings
> > benefit an attacker?  I assume the attacker still would not have
> > read/write access to pages that do not belong to the compromised
> > domain.  Is there a concrete attack that people are aware of, or is
> > this just a precautionary measure? 
> The concern here was that we not give an attacker any more information
> than necessary for the proper functioning of the system.
> As you correctly noted, each domain's pages are protected 
> from access by
> other domains (modulo a small number of shared pages).  
> However, should
> there be a bug in this protection that did allow some unauthorized
> cross-domain access, knowing the physical pages used by other domains
> would increase the capabilities of an attacker (over random page
> scribbling).

It's hard to see how knowing pfns would help an attacker. If a guest
randomizied its free list at start of day would it would confuse any
attempt to track down particular user space pages. Doing the same for
kernel pages is harder but certainly possible if anyone cared. 

> And though it wasn't the motivation for the concern, removing such
> global visibility also has the benefit of limiting one type of covert
> channel.
> So the thinking was that if we could remove these other 
> domain mappings
> without significant changes or disruptions then it is beneficial to do
> so.

The trouble is, it's not. We experimeted with having each guest maintain
its own private machine_to_phys table using AVL trees, but there was a
measurable performance hit.  Of course, its possible to run Xen in
shadow page table mode rather than use the normal paravirtualized
direct-mode pagetables. This avoids the p2m table in the guest
altogether, but you have to take the (not insignificant) time and space
hit associated with shadow pagetables. 

We decided that the shared m2p table was a good soloution, but it is a
potential covert channel. However, in a system with multiple domains
using the same memory hierarchy you've got some *huge* bandwidth covert
channels anyhow...


SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>