This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: malicious paravirtualized guests: security and isola

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation
From: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx>
Date: Tue, 11 Nov 2008 20:16:54 +0300
Delivery-date: Tue, 11 Nov 2008 09:17:37 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=ZO598ITv6wqp4Vs0D6FCPTVqERnkf2cZCG+vkIgkNQ4=; b=HdnPtWR0ZryLl8hQT2bPjFrQNlLsZ5Y8vL8/FZldK9nlIoU4nX+HhXN7EpMkj8bdJY 5SlUrMgDO2o1sFqgYH3tRIqKeX1Qi+lbktBHWPg3qtbQRBp8EKVJulwCCNX9DKMuvTOx Gl//GdLUXrWYVVlbgx3M29JEap5N+39aA3Lbc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=txcjkbh0p6fS+TiD0J6GgG31kAb1ccSlnOyIhYpHGi9nsStdw8BMmXRgbTty/D3c3d /YQG3LIu86Pm2QgaZkPQM8a4qmEPZWALbEEojmTF0DPsu8M/KrXpzPvcRi4l1RgeNwy3 dWNhqjKnpLxXN1hlog4qaYynleTSdoPaVzhXs=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1489433046.181071226415900892.JavaMail.root@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <e4a2b0250811110635sfd631f8j34bde29d442a436c@xxxxxxxxxxxxxx> <1489433046.181071226415900892.JavaMail.root@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Tue, Nov 11, 2008 at 6:05 PM, George Lenzer <george.lenzer@xxxxxxx> wrote:

No, it's not a stupid question, I think it's just that at this point not many Xen users are thinking about this aspect of paravirtualization/hypervisor.  Personally, I think hypervisor is a much higher risk than paravirtualization because of the possibility of malicious code making it into a Xen hypervisor (provided by a third party).  Given that Domain0 is sitting atop the Xen hypervisor purely for management purposes, I believe (but cannot say with any authority) that there is a possibility that there are things it can't see happening at the hypervisor level.  Also given the different nature of an HVM Xen implementation using the hardware directly, I think it might be possible for an attacker to do a lot more damage than just Xen on an old x86 with only PV domains.  But this is all rampant speculation by a complete amateur with no coding background.

As far as your questions about letting users run their own VM guests, I don't think they can kill the entire host as long as you limit the system resources under their control.

Good point. Thank you.
That isn't to say they won't be able to impact the performance of other guests to some extent, but it would only be within the controlled limitations you set for a particular domain.  I can only take it on faith that the isolation between the guests is pretty opaque.  That is what the Xen architecture is supposed to provide.  I don't see any way for unprivileged guests to be able to directly access areas of memory on the system or CPU registers that are outside of their allocation.  That doesn't mean it's impossible.  Personally, I think the biggest area of concern is the virtual networking that happens between the guests.  If it's not done with enough foresight it could allow an old fashioned host to host network password attack to be possible.

OK. In my case I think some neat stuff in my dom0 is going to take care of virtual networking security.

With the kernels and modules, I think that it would only be wise for you to restrict them to the kernel you provide.

Why? Why it matters (if Xen is designed to provide isolation anyways)?
Building modules for them might be a bit tricky and unmanageable, but not impossible.

Sure. :)
Regarding the security of running their own modules, it I still believe that they would not be able to cross the boundaries of their domain into other domains via this route.  Unless something is seriously broken in the Xen paravirtualization model, when they are in unprivileged domains, they can't access anything that Domain0/Xen microkernel doesn't allow.

I am far from being Linux expert but I thought a module can override anything in the kernel. Am I wrong? If am not wrong, why disallowing custom kernels while still allowing custom modules can be different from allowing custom kernels?
Hope this uninformed guessing helps a little and maybe gets more people talking, if only to tell me what a fool I am.  ;)


Thank you very much,

----- Original Message -----
From: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx>
To: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, November 11, 2008 9:35:25 AM (GMT-0500) America/New_York
Subject: [Xen-users] Re: malicious paravirtualized guests: security and isolation


Am I asking stupid questions or is this area a complete mystery? Any pointers to existing sources of information are greatly appreciated. I spent several days searching Xen documentation and googling but could not find anything definitive.

Thank you,

On Thu, Nov 6, 2008 at 4:15 PM, Vasiliy Baranov <vasiliy.baranov@xxxxxxxxx> wrote:

I have a question about isolation and security guarantees Xen provides, if any, in cases when domU guests are not completely trusted, that is, can be malicious. Right now I am specifically interested in the scenario where all guests are paravirtualized, but HVM case is of some interest too.

Say, I want to let my users run their own guests on a Xen host that I own. Users will bring their own disk images. I don't completely trust my users. Does the use of Xen guarantees that malicious guests will be unable to harm other guests or the entire host in any way (for example, kill the entire host)? It is interesting to know both what is guaranteed in theory (that is, if Xen and dom0 work as designed) and how things go in practice.

If I disallow users to use their kernels, that is, if I run guests with my own kernel(s) only, will that improve the situation? How about loadable kernel modules? If I allow Linux guests to load their custom kernel modules, will that nullify the effect of using trusted kernels?

I currently use Xen 3.1.4, if that matters.

Thank you very much in advance,

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>