This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: malicious paravirtualized guests: security and isola

To: "Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx>
Subject: Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation
From: Luke S Crawford <lsc@xxxxxxxxx>
Date: 26 Nov 2008 20:03:10 -0500
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 26 Nov 2008 17:03:43 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <e4a2b0250811141039q4f67cf05y66c185cba9f98ed1@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <e4a2b0250811110916nb0555ddq9156e0b607dfd8b2@xxxxxxxxxxxxxx> <91094279.208821226433579786.JavaMail.root@xxxxxxxxxxxxxxxxx> <e4a2b0250811141039q4f67cf05y66c185cba9f98ed1@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
"Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx> writes:
> Sure. We are not talking about sharing the kernel between dom0 and domU.
> domUs are going to have completely different kernels anyways. The question
> is, if I have to allow custom modules in domUs (because my users cannot live
> without them), does it make sense to disallow custom kernels, i.e. whether
> disallowing custom kernels is going to buy me much?

First, I'm not really sure how you would disallow custom kernels, without
giving users a box with a castrated root.  If you have root on a 
regular linux box, there are several mechanisms for modifying the running
kernel without rebooting.   

A data point:  I've been allowing custom kernels from just about anyone
on the net willing to give me $5 since 2005, and I haven't had anyone break 
out from the DomU to the Dom0.  

I am entirely paravirtualized, though, and from what I understand, HVM has
a much larger (and theoretically  more buggy) interface between Dom0 and DomU.

I have had problems where MAC address conflicts took things down,  (lock
those MACs down and firewall them!)  

Oh, the weakest part of my system, in my opinion?  PyGrub.  (that, or my
homemade scripts that give DomU owners access to 'xm console domain')
Now, I don't know of any open security holes in PyGrub, but I know there 
were some in the past. 

Essentially, PyGrub is a python script that reads /boot/grub/menu.lst from
the guest file system and then copies the kernel from the DomU to the Dom0.
You can imagine how risky that is.   

PVGRUB, from Xen 3.3, is theoretically much more secure, as it runs 
entirely within the DomU.  

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>