Xen devel - Mar 2010 - Questions on Xen

Hi all,
I have the following questions regarding Xen hypervisor.Can you please
clarify these queries?

Does Xen follow any security model, in particular, does a Random Oracle (RO)
fit in Xen?
When there are concurrent Guest OS running on the same hardware, then there
has to be a mechanism for concurrency control and fairness, how does Xen
implement these?
Shared memory access has to make sure that one "malicious" OS
doesn''t access
other''s memory, where and how is this done?
Similarly with shared network, how and where is security handled in this
case so that packets meant for one OS are not accessible to other OS?
Does xen has cryptography implementation in the code ?
If you have idea regarding *"provable security" *property of Xen , can
you
give us a gist of it ?

Thanks&Regards,
Aditya Pendyala


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Mon, Mar 15, 2010 at 03:51:53PM +0530, Aditya Pendyala
wrote:
>    Hi all,
>    I have the following questions regarding Xen hypervisor.Can you please
>    clarify these queries?
> 
>    * Does Xen follow any security model, in particular, does a Random
Oracle
>      (RO) fit in Xen?
Yes, Xen has Xen Security Modules (XSM).

See:
http://www.xen.org/files/summit_3/coker-xsm-summit-090706.pdf
http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf
http://www.xen.org/files/XenSecurity_SHand.pdf

Those pdfs seem to be a bit old, but feel free to google for more up-to-date
stuff.
Especially check the various Xen Summit presentation slides available on
xen.org.
>    * When there are concurrent Guest OS running on the same hardware, then
>      there has to be a mechanism for concurrency control and fairness, how
>      does Xen implement these?
Xen has different schedulers to control cpu time sharing. 
Xen credit scheduler is the default scheduler nowadays. 

credit2 scheduler is under development.

For disk-IO you can use the Linux dom0 CFQ/ionice, or things like dm-ioband.

For network traffic you can use all the common Linux QoS tools, or the built-in
network shaping.

>    * Shared memory access has to make sure that one "malicious"
OS doesn''t
>      access other''s memory, where and how is this done?
I don''t know the internals unfortunately.. I can guess it''s
related to the
fact that Xen hypervisor runs in the x86 ring-0, and the guests run
in other ring levels. So Xen hypervisor has complete control of the guests,
and it can force the security.
>    * Similarly with shared network, how and where is security handled in
this
>      case so that packets meant for one OS are not accessible to other OS?
If you''re using routed setup then it''s pretty easy to control
which IP has which
IP and perform firewalling in dom0.

If you''re using bridged network setup then you can use things like
ebtables
to filter the bridged traffic.

Xen dom0 is usually Linux, so all the usual Linux tools can be used.
>    * Does xen has cryptography implementation in the code ?
What do you mean exactly?
>    * If you have idea regarding "provable security" property of
Xen , can you
>      give us a gist of it ?
I don''t really help with this one unfortunately.

-- Pasi


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel