[Xen-devel] Re: Security Implications of letting customers use t

To:	George Dunlap <dunlapg@xxxxxxxxx>
Subject:	[Xen-devel] Re: Security Implications of letting customers use theirown kernel
From:	Paolo Bonzini <pbonzini@xxxxxxxxxx>
Date:	Thu, 16 Dec 2010 14:05:01 +0100
Cc:	Xen-devel@xxxxxxxxxxxxxxxxxxx, James Harper <james.harper@xxxxxxxxxxxxxxxx>, Jonathan Tripathy <jonnyt@xxxxxxxxxxx>
Delivery-date:	Thu, 16 Dec 2010 05:05:53 -0800
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=GmN6Rkdcok0cp/MT0cFo9tHS2VhI/H38RBV/Q1ZZ1So=; b=uKNUx8H5oG8AwjKWdqDZ3F3oeWrw/uqtjKvtdi11ztY96c0X03OXftjHs6XYphRidX 1EPAvThhKaBq7Q4vijUu+1TUv4mNOGgfLS+t1D2B+7HUguNFJjB8aa9KsmoklHAPqWXw Et0S8EZAtDqXSbn65IZ+dZwsE2xjGgcddtiBI=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=Mu8Jlx1Uup2lrLv0nRA9xvHzhDOJY//Xyd6OOgmJCFTRye04K+h7v88Dm4qj9D/QLB dv4Kc4RkgI/TnMIpmrIFh839wkUaTNpmWpuBewhxDGn2hMV8n76tUTyjhriQOMqTLGoE Mq/ifvncR0dTh08/N+g3bmYDz6CaPzPR8Ye9o=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<AANLkTinb0upcNB-0o28cpGrKkUtL5LObpH94f7hvmzOA@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<4D08B3F4.7020008@xxxxxxxxxxx> <AEC6C66638C05B468B556EA548C1A77D01BB8B2A@trantor> <AANLkTinb0upcNB-0o28cpGrKkUtL5LObpH94f7hvmzOA@xxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101103 Fedora/1.0-0.33.b2pre.fc14 Lightning/1.0b3pre Mnenhy/0.8.3 Thunderbird/3.1.6

On 12/16/2010 01:03 PM, George Dunlap wrote:

And as James H. said, buggy DomU drivers do occasionally crash dom0:
and if untrusted code can accidentally crash privileged code, it's
often the case that a well-crafted exploit can use the same bug to
gain control of the privileged code.


I wouldn't be so negative. :)

I've definitely seen crashes of the hypervisor, but all of them wereassertion failures rather than say a null-pointer dereference. I'vealso seen denial of service bugs on the dom0 kernel which exploited bugsin the backend drivers. Maybe I'm "young" as a Xen developer (less than2 years) but the core Xen code always seemed very robust to me.

I would hence be slightly worried of crashes and even denial of serviceon the management tools, but not so much of privilege escalation. (Acouple such bugs were found a few years ago by Joanna Rutkowska's team,but are quite rare).

That said, I wouldn't be _more_ worried if I let customers use their ownkernel, since they may anyway be able to use their own kernel modules ifthey have root access to the VM, so there's almost nothing that theycouldn't already do before.

There is another bug that is specific of a VM environment is wherehypervisor bugs allow a malicious user in the guest to gain access toring0 in the guest (see for example CVE-2010-0419, though this one isfor KVM). These are the ones that would worry me the most.


Paolo

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] Re: Security Implications of letting customers use theirown