How secure are Xen guests and hosts if a guest is compromised? Does the compromise of a guest be as a gateway to compromise both hosts and other guests? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> -----Original Message----- > From: xen-users-bounces@lists.xensource.com > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of > Frank Church > Sent: 24 April 2007 11:37 > To: xen-users@lists.xensource.com > Subject: [Xen-users] Security of Xen host and guests? > > How secure are Xen guests and hosts if a guest is compromised? > > Does the compromise of a guest be as a gateway to compromise both > hosts and other guests?Aside from the possibility that a guest can use up 100% of it''s assigned resources (CPU, Network bandwidth etc) (which if you don''t expect it to use more than 10% can cause interesting effects on the overall system performance). There are ways to limit any and all of those resources, so a well configured system wouldn''t be able to notice this at all. Each guest is protected from getting to any other guest and it''s not possible for example for a guest to access another guests memory or disk-storage [a guest can ALLOW another guest to access it''s memory, that''s how drivers work, but the guest owning the memory must perform a "grant" operation]. So essentially, we have the same situation as if you have two or more machines running on the same network - if one is compromised, the other shoulds till stay "safe" as long as the setup itself is secured properly (e.g. if you have the same passwords on both machines, one could presumably log in from one to the other knowing the password). The host-domain (Dom0) is just another domain from the hypervisors perspective - along the same lines as "root" is another user. It is special in the sense that it''s got permissions to create/destroy other guests. But from a security perspective, it is no more or less secure than any other guest in and of itself. Of course, hopefully any sysadmin worth his salt should set extra security for accessing Dom0. Just like in a network of "real" machines, you''d protect the file-server a bit more [e.g. not allow regular users to log in there, extra firewall protection, etc, etc] than you may do with the regular desktop/client machines... -- Mats> > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> How secure are Xen guests and hosts if a guest is compromised? > > Does the compromise of a guest be as a gateway to compromise both > hosts and other guests?dom0 (analogous to the "host" in other systems) must be protected by all reasonable means as it is able to compromise any other domain running on the system. This is also true for a domain which is given direct PCI hardware access e.g. to a network card (this is not the normal usecase). This is similar to protecting your root account or the administration terminal for essential network services. The compromise (e.g. somebody escalating to root access) of an unprivileged domain should have no effect on the security of the rest of the system. Whilst it would give an attacker more scope to load malicious kernel modules in the guest in order to attack domain 0 and Xen, both of these are intended to be secure against this kind of attack. The design intends that it is safe to deliberately give out root access to the owner of an unprivileged domain and to allow them to load customised kernels, etc. root compromise of a guest would be equivalent to this, and therefore should be isolated by design. Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Petersson, Mats wrote:>> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Frank >> >> How secure are Xen guests and hosts if a guest is compromised? >> >> Does the compromise of a guest be as a gateway to compromise both >> hosts and other guests? > > Each guest is protected from getting to any other guest and it''s not > possible for example for a guest to access another guests memory or > disk-storage [a guest can ALLOW another guest to access it''s memory, > that''s how drivers work, but the guest owning the memory must perform > a "grant" operation]. >I realize that this is the security policy for Xen, but can we really be sure that the hypervisor implementation is provably secure? I doubt that NSA would consider it so. Just because we haven''t seen someone "break out" of a guest doesn''t mean it''s impossible. That''s why there is still research going on into secure hypervisors (e.g., shype). I know this is a little paranoid, but nevertheless. It posits something like a very clever, low-level timing attack on a fundamental implementation or design flaw. Remember the blind spots inherent in breaking one''s own security. However, for general purpose, commercial use, I''m willing to believe that Xen is pretty darn secure. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > Each guest is protected from getting to any other guest and it''s not > > possible for example for a guest to access another guests memory or > > disk-storage [a guest can ALLOW another guest to access it''s memory, > > that''s how drivers work, but the guest owning the memory must perform > > a "grant" operation]. > > I realize that this is the security policy for Xen, but can we really > be sure that the hypervisor implementation is provably secure? I doubt > that NSA would consider it so. Just because we haven''t seen someone > "break out" of a guest doesn''t mean it''s impossible. That''s why there > is still research going on into secure hypervisors (e.g., shype). > > I know this is a little paranoid, but nevertheless. It posits > something like a very clever, low-level timing attack on a fundamental > implementation or design flaw. Remember the blind spots inherent in > breaking one''s own security.As with any system, there may be implementation bugs which undermine the intended security behaviour. Bugs of this kind, of varying severity / likelihood of compromise will crop up from time to time (I believe I''ve seen a few in the past). The basic design of the lowlevel interface is believed to be secure... It would be interesting to have some formal verification of this attempted. This may happen as people start looking at security certifications for Xen-based system. The other side of this coin is that somebody would need to verify the implementation truly matched this formal spec in a bug-free way. There''s lots of stuff to do on the route to more formal security properties but people are looking into it. In the meantime, a system with the appropriate tweaks should be fairly secure, with more tested configurations being more so (e.g. the security issue regarding the Qemu monitor in HVM domains springs to mind as something that took a while to be found and fixed). Cheers, Mark -- Dave: Just a question. What use is a unicyle with no seat? And no pedals! Mark: To answer a question with a question: What use is a skateboard? Dave: Skateboards have wheels. Mark: My wheel has a wheel! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users