This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Newbie query - Xen and security

To: Andy Elvey <andy.elvey@xxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Newbie query - Xen and security
From: Anthony Liguori <aliguori@xxxxxxxxxx>
Date: Sun, 26 Jun 2005 22:21:13 -0500
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 27 Jun 2005 03:20:25 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <42BF369E.9090601@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <42BF369E.9090601@xxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (X11/20050317)
Andy Elvey wrote:

I have a query re Xen and security. If I'm using the 'net (browsing, email) while I'm running a Xen-enabled kernel, does that make it more difficult for the bad guys out there to pop a rootkit or virus onto my PC? I tend to envision Xen as making everything "virtual", so that if they did try to rootkit my PC, they couldn't actually _install_ it onto my system, (as I'm running a "virtual environment" ). So, if I understand correctly, any "damage" that they try to do is *totally* limited to the session I'm running, and when I next fire up my PC, all will be well.

Practically speaking, Xen doesn't really do what you describe. Xen is not a silver bullet when it comes to security. It's all about how you use it. For the scenario you describe, your as safe in Xen as you would be in Linux (it all depends on what you run as root in Linux and what you run in dom0 in Xen).

What Xen allows you to do, from a security perspective, that something like Linux doesn't really is to run two virtual machines and have them be isolated from themselves. Even if you used multiple users in Linux, you're sharing a considerable amount of resources between the two users which makes total isolation difficult. Isolation in Xen is much easier because there's almost no shared resources.

When it comes from protecting you from external attackers, Xen is no different than Linux. An admitted simplification but I think you get the idea.


Anthony Liguori

Is my description pretty much accurate? Very many thanks in advance for your replies!
Bye for now -
-  Andy

Xen-users mailing list

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>