Xen devel - Nov 2004 - Module loading in unpriveledged domains

Hi all,

Is there any security risk in enabling loadable module support in the linux
kernel used for the unpriveledged domains? I ask this question in the context of
a virtual private server hosting provider.

Thanks,
Scott.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> Is there any security risk in enabling loadable module support in the linux
> kernel used for the unpriveledged domains? I ask this question in the
context of
> a virtual private server hosting provider.
There shouldn''t be any security risk at all -- Xen should provide
all the isolation you need (modulo any bugs).

Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Ian Pratt wrote:
>>Is there any security risk in enabling loadable module support in the
linux
>>kernel used for the unpriveledged domains? I ask this question in the
context of
>>a virtual private server hosting provider.
> 
> There shouldn''t be any security risk at all -- Xen should provide
> all the isolation you need (modulo any bugs).
So the answer to the original question is, "yes, enabling loadable module
support will increase your exposure to security risks due to any weaknesses
in Xen''s isolation." Xen hasn''t had particularly
extensive security review
yet.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> Ian Pratt wrote:
> >>Is there any security risk in enabling loadable module support in
the linux
> >>kernel used for the unpriveledged domains? I ask this question in
the context of
> >>a virtual private server hosting provider.
> > 
> > There shouldn''t be any security risk at all -- Xen should
provide
> > all the isolation you need (modulo any bugs).
> 
> So the answer to the original question is, "yes, enabling loadable
module
> support will increase your exposure to security risks due to any weaknesses
> in Xen''s isolation." Xen hasn''t had particularly
extensive security review
> yet.
I don''t think that preventing loadable module support is going to
buy you anything. If your users have root they can write to the
domain''s memory image and hence in practice do anything that they
could if they had kernel modules.

Xen has been designed to provide secure isolation between
guests. It has undergone code review by a bunch of different
people. It may have security bugs, but at least they''re
relatively obscure...

Ian


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

>Ian Pratt wrote:
>>>Is there any security risk in enabling loadable module support in
the linux
>>>kernel used for the unpriveledged domains? I ask this question in
the contex
t of
>>>a virtual private server hosting provider.
>> 
>> There shouldn''t be any security risk at all -- Xen should
provide
>> all the isolation you need (modulo any bugs).
>
>So the answer to the original question is, "yes, enabling loadable
module
>support will increase your exposure to security risks due to any weaknesses
>in Xen''s isolation." Xen hasn''t had particularly
extensive security review
>yet.
Well only if you''re not already giving root access to the virtual 
machine in question (or believe that by not giving it you''re
protected).
"Security risk" is not particularly well formulated in non-assessed 
operating systems (aka pretty much all commodity ones). The immunix 
guys have a great demo of linux being hosed by about 5 different 
freely downloadable exploits (which vary through time, but retain a
similar number), and being stopped by immunix. Of course one can 
imagine a further N exploits which crack immunix :-) 

In short: please feel free to enable loadable module support in an 
unprivileged kernel. The trust barrier is xen<->guestOS, and so
that''s
what you should trust. We cannot guarantee that it''s bulletproof but 
we''re more likely to respond to vulnerabilities in Xen than ones 
inherent in linux.


cheers,

S.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Ian Pratt wrote:
>>Ian Pratt wrote:
>>
>>>>Is there any security risk in enabling loadable module support
in the linux
>>>>kernel used for the unpriveledged domains? I ask this question
in the context of
>>>>a virtual private server hosting provider.
>>>
>>>There shouldn''t be any security risk at all -- Xen should
provide
>>>all the isolation you need (modulo any bugs).
>>
>>So the answer to the original question is, "yes, enabling loadable
module
>>support will increase your exposure to security risks due to any
weaknesses
>>in Xen''s isolation." Xen hasn''t had particularly
extensive security review
>>yet.
> 
> I don''t think that preventing loadable module support is going to
> buy you anything. If your users have root they can write to the
> domain''s memory image and hence in practice do anything that they
> could if they had kernel modules.
True, unless there are bugs that cause different behaviour depending
on whether a module is compiled-in or loaded (such as
<http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
Nevertheless enabling loadable modules may allow a greater proportion
of script kiddies to be capable of exploiting any given bug.

This is all the same as in standard Linux, so perhaps I should have
said: enable loadable modules iff you would do so in standard Linux.
> Xen has been designed to provide secure isolation between
> guests. It has undergone code review by a bunch of different
> people. It may have security bugs, but at least they''re
> relatively obscure...
I remain skeptical.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

David Hopwood <david.nospam.hopwood <at> blueyonder.co.uk> writes:
> 
> Ian Pratt wrote:
> >>Ian Pratt wrote:
> >>
> >>>>Is there any security risk in enabling loadable module
support in the linux
> >>>>kernel used for the unpriveledged domains? I ask this
question in the
context of
> >>>>a virtual private server hosting provider.
> >>>
> >>>There shouldn''t be any security risk at all -- Xen
should provide
> >>>all the isolation you need (modulo any bugs).
> >>
> >>So the answer to the original question is, "yes, enabling
loadable module
> >>support will increase your exposure to security risks due to any
weaknesses
> >>in Xen''s isolation." Xen hasn''t had
particularly extensive security review
> >>yet.
> > 
> > I don''t think that preventing loadable module support is
going to
> > buy you anything. If your users have root they can write to the
> > domain''s memory image and hence in practice do anything that
they
> > could if they had kernel modules.
> 
> True, unless there are bugs that cause different behaviour depending
> on whether a module is compiled-in or loaded (such as
> <http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
> Nevertheless enabling loadable modules may allow a greater proportion
> of script kiddies to be capable of exploiting any given bug.
> 
> This is all the same as in standard Linux, so perhaps I should have
> said: enable loadable modules iff you would do so in standard Linux.
> 
> > Xen has been designed to provide secure isolation between
> > guests. It has undergone code review by a bunch of different
> > people. It may have security bugs, but at least they''re
> > relatively obscure...
> 
> I remain skeptical.
> 
So from what I can gather, the user of an unpriveledged domain is entirely
capable of destroying their own domain?. If this is the case, it is entirely
acceptable. What I''m more concerned with however, is the impact one
unpriveledged domain can have on another. I don''t want one domain able
to
adversely affect other domains running on the node. I understand that the point
of weakness for this is only xen itself which, being opensource and backed by a
great community, I am more than comfortable with.

I''m becoming more and more familiar with xen as the days go by, and am
very
happy with my decision to use it over other, similar products.

As an aside, I''ve been trying to join this mailing list for some days
now,
however the sourceforge mail server is rejecting the confirmation email on the
grounds that my mail server is incorrectly configured (no postmaster account,
which I know is not true). Has anyone else had a similar experience?

Scott.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

David Hopwood wrote:
> True, unless there are bugs that cause different behaviour depending
> on whether a module is compiled-in or loaded (such as
> <http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
> Nevertheless enabling loadable modules may allow a greater
> proportion of script kiddies to be capable of exploiting any given
> bug.
>
> This is all the same as in standard Linux, so perhaps I should have
> said: enable loadable modules iff you would do so in standard Linux.
That''s a bit of an odd comment I think.

Enabling module loading has security implications for the actual Linux
system being exploited - eg. either the physical machine in a
standalone case, or a Xen guest virtual machine.

But the original question was not about the security of that machine,
but about the possibility of escalation of that exploin into other
Xen guests or the domain 0 on the same physical machine.

So for the escalation case, in both cases we are talking about a fully
exploited Xen guest virtual machine trying to break out of Xen
separation - and in that case, I don''t see how module loading makes
any difference.

So the complete answer would be - yes, module loading in unpriviledged
domains has security implications in unpriviledged domains as much as
it has on standard Linux machines - but no, module loading in
unpriviledged domains has no security implications with regard to
other machines running on the same host, aside from those normally
incurred by Xen.

And I think the latter part of the answer was what the original poster
intended.

-- Naked



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

I don''t think the original poster truly understands how xen works,
otherwise they wouldn''t have asked about module loading and
it''s
security implications in xen.

This isn''t another vserver or uml project. It doesn''t matter
what you do
with the individual guest kernels. The fact of the matter is that they
have no authority (unless they are a privileged domain) to affect xen''s
security.

Now bugs in xens security enforcement methods *might* be exploitable,
but from what I can see this is a fairly easy area to audit. The use of
event channels makes it tougher than usual for a unprived domain to
break into a backend driver domain. That of course would be easilly
audited as well.

With the page wiping in xen 2.0.x now, I don''t see how a domain could
exploit anything in xen with used memory that is handed back to xen from
drivers.

I don''t know of any areas of xen that attempt to execute code from
allocated memory blocks that a domain hands to xen directly. I can''t
imagine any other method to comprimise the xen hypervisor. Anyone else
as or more familiar with the main hypervisor kernel aware of, or can
image ways to bust through it''s security? 

my 0.2 cents of admittedly  limited understanding of xen''d security and
methods...

Brian

On Tue, 2004-11-23 at 18:43 +0200, Nuutti Kotivuori
wrote:
> David Hopwood wrote:
> > True, unless there are bugs that cause different behaviour depending
> > on whether a module is compiled-in or loaded (such as
> >
<http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
> > Nevertheless enabling loadable modules may allow a greater
> > proportion of script kiddies to be capable of exploiting any given
> > bug.
> >
> > This is all the same as in standard Linux, so perhaps I should have
> > said: enable loadable modules iff you would do so in standard Linux.
> 
> That''s a bit of an odd comment I think.
> 
> Enabling module loading has security implications for the actual Linux
> system being exploited - eg. either the physical machine in a
> standalone case, or a Xen guest virtual machine.
> 
> But the original question was not about the security of that machine,
> but about the possibility of escalation of that exploin into other
> Xen guests or the domain 0 on the same physical machine.
> 
> So for the escalation case, in both cases we are talking about a fully
> exploited Xen guest virtual machine trying to break out of Xen
> separation - and in that case, I don''t see how module loading
makes
> any difference.
> 
> So the complete answer would be - yes, module loading in unpriviledged
> domains has security implications in unpriviledged domains as much as
> it has on standard Linux machines - but no, module loading in
> unpriviledged domains has no security implications with regard to
> other machines running on the same host, aside from those normally
> incurred by Xen.
> 
> And I think the latter part of the answer was what the original poster
> intended.
> 
> -- Naked
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
users.
> Discover which products truly live up to the hype. Start reading now. 
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel
-- 



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Nuutti Kotivuori wrote:
> David Hopwood wrote:
> 
>>True, unless there are bugs that cause different behaviour depending
>>on whether a module is compiled-in or loaded (such as
>><http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
>>Nevertheless enabling loadable modules may allow a greater
>>proportion of script kiddies to be capable of exploiting any given
>>bug.
>>
>>This is all the same as in standard Linux, so perhaps I should have
>>said: enable loadable modules iff you would do so in standard Linux.
> 
> That''s a bit of an odd comment I think.
> 
> Enabling module loading has security implications for the actual Linux
> system being exploited - eg. either the physical machine in a
> standalone case, or a Xen guest virtual machine.
> 
> But the original question was not about the security of that machine,
> but about the possibility of escalation of that exploit into other
> Xen guests or the domain 0 on the same physical machine.
If there is no exploit, then there is no possibility of escalation.
On a physical machine running Linux on Xen where an attacker only has
direct access to Linux user-mode processes, the attacker has two layers
that must both be exploited: Linux and Xen. Obviously, bugs and
misconfigured settings in both Linux and Xen are therefore relevant
to the security of the physical machine.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Scott Mohekey wrote:
> As an aside, I''ve been trying to join this mailing list for some
days now,
> however the sourceforge mail server is rejecting the confirmation email on
the
> grounds that my mail server is incorrectly configured (no postmaster
account,
> which I know is not true). Has anyone else had a similar experience?
A bit OT here, but some messages are being delivered with quite big 
delay (several hours) while others flow just fine.

j.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Scott Mohekey wrote:
> So from what I can gather, the user of an unpriveledged domain is
> entirely capable of destroying their own domain?. If this is the
> case, it is entirely acceptable. What I''m more concerned with
> however, is the impact one unpriveledged domain can have on
> another. I don''t want one domain able to adversely affect other
> domains running on the node. I understand that the point of weakness
> for this is only xen itself which, being opensource and backed by a
> great community, I am more than comfortable with.
To say it simply:

Module loading _may_ help an attacker circumvent Linux security on the
unpriviledged domain to gain root on the unpriviledged domain. If the
attacker has already gained root access on the unpriviledged domain,
module loading has _no_ effect on trying to adversely affect other
domains running on the node.

So yes, that security is entirely up to Xen - and Xen security is
fundamentally a sound approach, but of course remains to be seen as
the deployment is not extensive.

-- Naked




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel