xen discuss - Oct 2007 - virtualization != security

There is an ongoing flame war on multiple forums and mailing lists about the
security of virtualized machines including xen domU:

http://kerneltrap.org/OpenBSD/Virtualization_Security

"A thread on the OpenBSD -misc mailing list began by discussing whether or
not XEN had been ported to OpenBSD, "is it planned at some point to release
a paravirtualized xen kernel for OpenBSD 4.3 or 4.4?" Later in the
discussion it was suggested that virtualization should be a priority for
security reasons, "virtualization seems to have a lot of security
benefits." OpenBSD creator Theo de Raadt strongly disagreed with this
assertion, "you've been smoking something really mind altering, and I
think you should share it." He went on to describe virtualization as
"something on the shelf, [which] has all sorts of pretty colours, and
you've bought it", explaining:

"x86 virtualization is about basically placing another nearly full kernel,
full of new bugs, on top of a nasty x86 architecture which barely has correct
page protection. Then running your operating system on the other side of this
brand new pile of shit. You are absolutely deluded, if not stupid, if you think
that a worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around and
suddenly write virtualization layers without security holes."

Tavis Ormandy's paper is particularly alarming:
http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf (An Empirical Study into the
Security Exposure to Hosts of  Hostile Virtualized Environments
by Tavis Ormandy ). 

Regarding Xen: 

"Xen’s design is congruent to good security. However inhardware-assisted
virtualisation mode using Intel’s VT virtualisation extensions, or AMD’s AMD-v
extension, Xen relies ona QEMU derived emulator to provide emulated devices,
whichrun in Domain0 with ring0 privileges. No suitable hardwarewas available to
the author to experiment with this configura-tion but research suggests that
compromising the QEMU emu-lator using one of the flaws described in Section A.
" result in complete compromise of the system."
 
 
This message posted from opensolaris.org
_______________________________________________
xen-discuss mailing list
xen-discuss@opensolaris.org

Also there was a security reported and fixed in xen unstable (CVE-2007-4993). I
just looked inside Solaris xVM  and it seems that it hasn''t been
patched in build 75 (one month later!). I still have to test if this code is
actually used. This is the link to the patch:
http://xenbits.xensource.com/xen-3.1-testing.hg?rev/e441bb07066c;style=rev%3DCVE
.

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068

When booting a guest domain, pygrub uses Python exec() statements to process
untrusted data from grub.conf. By crafting a grub.conf file, the root user in a
guest domain can trigger execution of arbitrary Python code in domain 0.

The offending code is in tools/pygrub/src/GrubConf.py, in lines such as

  exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))

This can be exploited from a guest domain, for example by modifying
/boot/grub/grub.conf and changing the ''default'' statement into
something like

  default "+str(0*os.system(" insert evil command here "))+"

On the next boot of the guest domain, the evil command will execute in domain
0.
 
 
This message posted from opensolaris.org

The offending code on b75 is /usr/lib/python2.4/vendor-packages/grub/GrubConf.py

Here is a working patch for solaris (attached.)
cd /usr/lib/python2.4/vendor-packages/grub/ ; patch < GrubConf.py.diff
 
 
This message posted from opensolaris.org

Kugutsumen wrote:
> The offending code on b75 is
/usr/lib/python2.4/vendor-packages/grub/GrubConf.py
> 
> Here is a working patch for solaris (attached.)
> cd /usr/lib/python2.4/vendor-packages/grub/ ; patch < GrubConf.py.diff
We putback a fix to the gate for this on 10/8. It
should show up in b76.

We also putback a fix for the following on 10/23.
   http://secunia.com/advisories/27389/

I think that will show up in b77?

We''re still trying to get xvm-gate moved
to opensolaris. Right now it''s just snapshots
which isn''t very convenient.





MRJ



-- 
Mark Johnson <mark.johnson@sun.com>
Sun Microsystems, Inc.
(781) 442-0869

Kugutsumen wrote:
> There is an ongoing flame war on multiple forums and mailing lists about
the security of virtualized machines including xen domU:
>
> http://kerneltrap.org/OpenBSD/Virtualization_Security
>
> "A thread on the OpenBSD -misc mailing list began by discussing
whether or not XEN had been ported to OpenBSD, "is it planned at some point
to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4?" Later in
the discussion it was suggested that virtualization should be a priority for
security reasons, "virtualization seems to have a lot of security
benefits." OpenBSD creator Theo de Raadt strongly disagreed with this
assertion, "you've been smoking something really mind altering, and I
think you should share it." He went on to describe virtualization as
"something on the shelf, [which] has all sorts of pretty colours, and
you've bought it", explaining:
>
> "x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which barely has
correct page protection. Then running your operating system on the other side of
this brand new pile of shit. You are absolutely deluded, if not stupid, if you
think that a worldwide collection of software engineers who can't write
operating systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes."
>
> Tavis Ormandy's paper is particularly alarming:
http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf (An Empirical Study into the
Security Exposure to Hosts of  Hostile Virtualized Environments
> by Tavis Ormandy ). 
>
> Regarding Xen: 
>
> "Xen’s design is congruent to good security. However
inhardware-assisted virtualisation mode using Intel’s VT virtualisation
extensions, or AMD’s AMD-v extension, Xen relies ona QEMU derived emulator to
provide emulated devices, whichrun in Domain0 with ring0 privileges. No suitable
hardwarewas available to the author to experiment with this configura-tion but
research suggests that compromising the QEMU emu-lator using one of the flaws
described in Section A. " result in complete compromise of the
system."
>  
>  
> This message posted from opensolaris.org
> _______________________________________________
> xen-discuss mailing list
> xen-discuss@opensolaris.org
OpenBSD guys at it again.  OpenBSD is just a rebranded NetBSD, if you've
ever used both of them.  They just succeed at making the experience
painfully slow and chock full of assholes.  I do partly agree with it,
although he just seems to have no social skills, or tact for that matter.

x86 is indeed a not so good architecture, and Xen and x86 being a
commodity by obvious reasons is a recipe for disaster.  Intel's tried
for 15 years to find a way to ditch x86, now they have to slowly improve
it as best as possible since the Itanium is just too overpriced and
complicated for consumers to use, mainly because of it being very
obscure (Software availability), at the hand of being overpriced and
hard to get mainly.

I also do agree with his assertions about the original Xen coders, and
Linux in general.  I don't like to say all people who develop modules,
or parts of the kernel, or associated system specific software are bad
coders, I just think some are misguided, and an oxymoron to adoption. 
Unfortunately, they complain about Microsoft making things platform
specific, then they do it theirselves with Xen for instance, making it
painful to port in both the political and technical sense.  The ports
are in worse shape than the original, they are retrofitted onto the
BSD's and OpenSolaris.  I strongly believe there will be future
consequences by quickly porting it.

I'll end this message with one word, VMware.  They seem to get it right,
they have far less security problems.  Yes, their products except the
parts they have to release are behind closed doors, but they do offer a
plugin API, and portions of the code to hook their products.  It's
obvious that Xen was not planned so great if the top experts in security
can find major gaping holes.  Perhaps the main Xen developers are going
for a rewrite, but until then security should be on the mind here.

James
_______________________________________________
xen-discuss mailing list
xen-discuss@opensolaris.org