WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xense-devel] Regarding security parameters..

from [Markus Kuhn] [Permanent Link][Original]
To: "Praveen Kushwaha" <praveen.kushwaha@xxxxxxxxxxx>
Subject: Re: [Xense-devel] Regarding security parameters..
From: Markus Kuhn <Markus.Kuhn@xxxxxxxxxxxx>
Date: Mon, 29 Jan 2007 10:08:48 +0000
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 29 Jan 2007 02:08:29 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: Your message of "Thu, 18 Jan 2007 17:27:00 +0530." <0A8CFEC45B7F4C419F7543867C47442366ECEA@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx 
"Praveen Kushwaha" wrote on 2007-01-18 11:57 UTC:
>             I have heard that the security scale from 1-7, the OSs like
> Linux, windows are at security level 4.
>             But the Xen is claiming for security level 5. 

Security is not a scalar. You cannot compare different product
categories unless you provide a specific application and threat model:
"Is this virus scanner more secure than this bicycle lock?" is hardly a
meaningful question, but "Should I upgrade by bicycle lock rather than
my virus scanner to lower my insurance premium?" might be.

I suspect what you might refer to is that both Windows XP and at least
two Linux distributions (the SUSE and Red Hat enterprise versions) have
been formally evaluated under the ISO Common Criteria (CC) Controlled
Access Protection Profile (CAPP) at Evaluation Assurance Level 4 (EAL4)
a few years ago. Now, the EAL4 rating has nothing to do with the
security of the product, it only characterizes the depth of the common
criteria evaluation that has taken place (e.g., how carefully the
evaluators studied the source code and documentation). To find about the
actual strength of the product that was verified during the evaluation,
and what that might mean for your particular application of the product,
you'll have to read the security target document. Examples for Windows
and Linux are

  http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID4025-ST.pdf
  http://www.bsi.de/zertifiz/zert/reporte/0256b.pdf

I have not seen yet any CC security target for Xen 3.0. It would also
not be entirely clear to me, how to directly compare the security of an
operating system with that of a hypervisor, given that the two provide
rather different levels of functionality. I doubt that CAPP (the
operating system protection profile under which Windows and Linux have
been evaluated) is directly applicable to the Xen hypervisor itself,
which has at present no notion of files, users, etc. (although that
might change with the XenSE project).

Hope this helped ...

Markus

-- 
Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain


_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xense-devel] Regarding security parameters.., Praveen Kushwaha
Previous by Thread:  [Xense-devel] Regarding security parameters.., Praveen Kushwaha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy