WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Xen Security

Jonathan Tripathy wrote:

 >One is simply to subvert the communications between the guest and the
 >host - things like buffer overflows, code injection, etc

You say "simply", however isn't it actually quite difficult to do the things you mentioned? Reading on the CVE lists, there doesn't seem to be any current known possible exploits?

I've no idea how hard or otherwise such things are to do, I didn't mean to imply it's simple to do, but I'd imagine it's a relatively simple attack vector to use.

OK, it's a different scale of things to SQL Injection where you've a website passing user-supplied data to a backend database (via the website scripting), but you've still got an open communications channel where the guest OS can exchange messages with the host (OS and/or Xen). Find a bug in the handling of those messages and you've an open attack vector.

Having an open communications channel is half of the battle - without it you need to crack two things, find a flaw in the system AND find a way of getting in to exploit it.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>