WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Security Implications of letting customers use theirown

To: James Harper <james.harper@xxxxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Security Implications of letting customers use theirown kernel
From: George Dunlap <dunlapg@xxxxxxxxx>
Date: Thu, 16 Dec 2010 12:03:53 +0000
Cc: Xen-devel@xxxxxxxxxxxxxxxxxxx, Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Delivery-date: Thu, 16 Dec 2010 04:04:58 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=741VZRf/VAwftnDxwwyjbng5P5RMKPyUQPXgZlbU5T0=; b=hZJuji4JJdzFiNnzqT2zn9NlObwkaz1x6k0jVPdcHnHS47bl35sDDTuuu+QajhW9a7 hJ0XyG+3igHi+Foy6gcmy0hpoVo+DFWcy6TkDxVEP3M5WiLtOwEZaLCEy4nm3FMdKMhR pq/wmb6YZHKfqsv6f7tJ28ku/Y5PUe6i9mDC0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=LKLEYpFcSdO9snWYJhIesEsSDA9QW1C475u+TXggCaKX+hnCiRRAcTHI2M+ISsdEjj lCD1pVTlH82xccQKUWo8CcmYHc6uF+ygGWQoSJDsE5thnDm1Uia57ajqstKDVxLt6RVn hbfHVh5bIsl7g8CyWUtplxoFlsHaEWzDD3Slo=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <AEC6C66638C05B468B556EA548C1A77D01BB8B2A@trantor>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4D08B3F4.7020008@xxxxxxxxxxx> <AEC6C66638C05B468B556EA548C1A77D01BB8B2A@trantor>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
On Thu, Dec 16, 2010 at 3:51 AM, James Harper
<james.harper@xxxxxxxxxxxxxxxx> wrote:
>> An area of potential concern is if someone were to build a kernel that
>> enabled "No Execute" or "Disable Execution", could that compromise
> other
>> DomUs? Or would that just leave their DomU vulnerable to running
>> malicious code?

I assume you mean a kernel that *disabled* No-Execute?  No -- Xen
should isolate decisions of individual VMs from each other (if the NX
bit can be disabled from a PV kernel at all -- I'm not sure about
that).

That said, developers certainly *aim* to make it the case that a DomU
cannot crash or gain access to Xen or Dom0 (or affect other security
measures, like NX, in any way).  However, as far as I'm aware, there
is no testing or auditing done to verify this.  And as James H. said,
buggy DomU drivers do occasionally crash dom0: and if untrusted code
can accidentally crash privileged code, it's often the case that a
well-crafted exploit can use the same bug to gain control of the
privileged code.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel