WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkb

from [Keir Fraser] [Permanent Link][Original]
To: "Mike D. Day" <ncmike@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver
From: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Date: Wed, 26 Jul 2006 19:07:01 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Bryan D Payne <bdpayne@xxxxxxxxxx>, Reiner Sailer <sailer@xxxxxxxxxx>
Delivery-date: Wed, 26 Jul 2006 11:15:05 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <44C7AA5A.3070700@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <OFBCD03923.2A3751C2-ON852571B6.0000084B-852571B6.0001F1C1@xxxxxxxxxx> <2cc990ff2952dde0f8d12469f9417168@xxxxxxxxxxxx> <44C76D5E.2040606@xxxxxxxxxx> <d11c610112f6dc4ee355f7090e4615df@xxxxxxxxxxxx> <44C7AA5A.3070700@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 

On 26 Jul 2006, at 18:46, Mike D. Day wrote:
If an attacker has access to the control plane (essentially anything with root privileges in domain0) what is to stop him from creating his own domain, with security credentials allowing it to communicate with domains A and B, and with its own proxy comms driver for circumventing any Xen checks that are intended to prevent communication between A and B?
It's all about defense in depth. It shouldn't be possible for a privilege escalation on dom0 to automatically compromise all the running domains. There should be hypervisor-level access control that authorizes changes to the access policy of a running domU. With the ability to store domain configuration remotely (coming in xend) we can then prevent a privilege escalation and a restart from compromising user domains.
Not sure I understand your answer, but if you have root on domain0 there's nothing to stop you circumventing xend entirely. The problem here is that dom0 is in the TCB: solutions might be either to lock down domain0 (very restricted remote access) to reduce risk of privilege escalation, or move the core control logic elsewhere (a mini-domain of some sort) and reduce the privileges of domain0 (the biggest part of the TCB). In the current situation with dom0: you show me a 'hack proof' set of access-control checks and I'm sure I can describe a workaround for a privileged attacker in dom0. For example, dom0 can map any other domain's memory, so it's trivial for an attacker to steal secrets. 

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [PATCH] map p2m entry only needs gpfn and gmfn as input parameters., Li, Xin B
Next by Date:  Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver, Mike D. Day
Previous by Thread:  Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver, Mike D. Day
Next by Thread:  Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver, Mike D. Day
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy