Re: [Xen-users] Re: malicious paravirtualized guests: security and isola
On Tue, Nov 11, 2008 at 5:52 PM, Todd Deshane <deshantm@xxxxxxxxx>
On Tue, Nov 11, 2008 at 9:35 AM, Vasiliy Baranov
>> I have a question about isolation and security guarantees Xen provides, if any, in cases when domU >> guests are not completely trusted, that is, can be malicious. Right now I am specifically interested in >> the scenario where all guests are paravirtualized, but HVM case is of some interest too.
>> Say, I want to let my users run their own guests on a Xen host that I own. Users will bring their own >> disk images. I don't completely trust my users. Does the use of Xen guarantees that malicious
>> guests will be unable to harm other guests or the entire host in any way (for example, kill the entire >> host)? It is interesting to know both what is guaranteed in theory (that is, if Xen and dom0 work as >> designed) and how things go in practice.
>> If I disallow users to use their kernels, that is, if I run guests with my own kernel(s) only, will that
>> improve the situation? How about loadable kernel modules? If I allow Linux guests to load their
>> custom kernel modules, will that nullify the effect of using trusted kernels?
>> I currently use Xen 3.1.4, if that matters.
> Am I asking stupid questions or is this area a complete mystery? AnyI think it is a good question. Have you spent any time searching through the
> pointers to existing sources of information are greatly appreciated. I spent
> several days searching Xen documentation and googling but could not find
> anything definitive.
xen mailing lists, in particular xen-devel might have some information. A good
way to search is using xen.markmail.org.
First of all, thank you for replying, Yes, I searched these lists. I'll try once more.
The xen developers (xen-devel) might also have some more insight for you.
OK, I'll try.
There are probably some users out there in your situation, but the conventional
wisdom is that isolation and the security of it is very similar to
that of computers
on a network.
Is a side note, perhaps I was not clear but the question is not about network security. It is about the safety of the domU <-> hypervisor interface and the safety of running guests on the same hardware as the hypervisor, from the point of view of protection from untrusted guests.
White hat hackers have been able to find various tricky ways to break out of
the isolation that xen provides, but I haven't heard of any exploits that have
been taken advantage of in practice.
Hope that helps.
Xen-users mailing list