Re: [Xen-users] Re: malicious paravirtualized guests: security and isola
On Tue, Nov 11, 2008 at 6:05 PM, George Lenzer <george.lenzer@xxxxxxx>
No, it's not a stupid question, I think it's just that at this point not many Xen users are thinking about this aspect of paravirtualization/hypervisor. Personally, I think hypervisor is a much higher risk than paravirtualization because of the possibility of malicious code making it into a Xen hypervisor (provided by a third party). Given that Domain0 is sitting atop the Xen hypervisor purely for management purposes, I believe (but cannot say with any authority) that there is a possibility that there are things it can't see happening at the hypervisor level. Also given the different nature of an HVM Xen implementation using the hardware directly, I think it might be possible for an attacker to do a lot more damage than just Xen on an old x86 with only PV domains. But this is all rampant speculation by a complete amateur with no coding background.
As far as your questions about letting users run their own VM guests, I don't think they can kill the entire host as long as you limit the system resources under their control.
Good point. Thank you.
That isn't to say they won't be able to impact the performance of other guests to some extent, but it would only be within the controlled limitations you set for a particular domain. I can only take it on faith that the isolation between the guests is pretty opaque. That is what the Xen architecture is supposed to provide. I don't see any way for unprivileged guests to be able to directly access areas of memory on the system or CPU registers that are outside of their allocation. That doesn't mean it's impossible. Personally, I think the biggest area of concern is the virtual networking that happens between the guests. If it's not done with enough foresight it could allow an old fashioned host to host network password attack to be possible.
OK. In my case I think some neat stuff in my dom0 is going to take care of virtual networking security.
With the kernels and modules, I think that it would only be wise for you to restrict them to the kernel you provide.
Why? Why it matters (if Xen is designed to provide isolation anyways)?
Building modules for them might be a bit tricky and unmanageable, but not impossible.
Regarding the security of running their own modules, it I still believe that they would not be able to cross the boundaries of their domain into other domains via this route. Unless something is seriously broken in the Xen paravirtualization model, when they are in unprivileged domains, they can't access anything that Domain0/Xen microkernel doesn't allow.
I am far from being Linux expert but I thought a module can override anything in the kernel. Am I wrong? If am not wrong, why disallowing custom kernels while still allowing custom modules can be different from allowing custom kernels?
Hope this uninformed guessing helps a little and maybe gets more people talking, if only to tell me what a fool I am. ;)
Thank you very much,
----- Original Message -----
From: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx
Sent: Tuesday, November 11, 2008 9:35:25 AM (GMT-0500) America/New_York
Subject: [Xen-users] Re: malicious paravirtualized guests: security and isolation
Am I asking stupid questions or is this area a complete mystery? Any pointers to existing sources of information are greatly appreciated. I spent several days searching Xen documentation and googling but could not find anything definitive.
On Thu, Nov 6, 2008 at 4:15 PM, Vasiliy Baranov <vasiliy.baranov@xxxxxxxxx>
I have a question about isolation and security guarantees Xen provides,
if any, in cases when domU guests are not completely trusted, that is,
can be malicious. Right now I am specifically interested in the
scenario where all guests are paravirtualized, but HVM case is of some
Say, I want to let my users run their own guests on a Xen host that I
own. Users will bring their own disk images. I don't completely trust
my users. Does the use of Xen guarantees that malicious guests will be
unable to harm other guests or the entire host in any way (for example, kill the
entire host)? It is interesting to know both what is
guaranteed in theory (that is, if Xen and dom0 work as designed) and
how things go in practice.
If I disallow users to use their kernels, that is, if I run guests with
my own kernel(s) only, will that improve the situation? How about
loadable kernel modules? If I allow Linux guests to load their custom
kernel modules, will that nullify the effect of using trusted kernels?
I currently use Xen 3.1.4, if that matters.
Thank you very much in advance,
Xen-users mailing list