> Hi,
>
> I have a question about isolation and security guarantees Xen
> provides, if any, in cases when domU guests are not completely
trusted,
> that is, can be malicious. Right now I am specifically interested in
the
> scenario where all guests are paravirtualized, but HVM case is of some
> interest too.
>
> Say, I want to let my users run their own guests on a Xen host
that
> I own. Users will bring their own disk images. I don't completely
trust my
> users. Does the use of Xen guarantees that malicious guests will be
unable
> to harm other guests or the entire host in any way (for example, kill
the
> entire host)? It is interesting to know both what is guaranteed in
theory
> (that is, if Xen and dom0 work as designed) and how things go in
practice.
>
> If I disallow users to use their kernels, that is, if I run
guests
> with my own kernel(s) only, will that improve the situation? How about
> loadable kernel modules? If I allow Linux guests to load their custom
> kernel modules, will that nullify the effect of using trusted kernels?
>
> I currently use Xen 3.1.4, if that matters.
>
When developing the Windows GPLPV drivers I crashed my Dom0 (and
therefore all DomU's) on a few occasions. That was under 3.0.3, 3.0.4,
and possibly some early 3.1.x versions of Xen. As crashing was the exact
opposite of what I was trying to do, I didn't pursue it, but obviously
it has been possible in the past to cause a crash by doing something
wrong in the PV side of things.
Is there a limit on the amount of data you can write to the xenstore?
Overflowing some limit in xenstore could be one method of causing a
crash.
James
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home