Xen devel - Dec 2010 - RAM security

Hi Everyone,

In Xen, is a DomU able to access data in RAM which a previous DomU has stored in
the past, but didn''t "zero" it?

I understand that this is a problem with physical disks (using phy:/), just
wondering if the same stands with RAM

Thanks



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Everyone,

In Xen, is a DomU able to access data in RAM which a previous DomU has stored in
the past, but didn''t "zero" it?

I understand that this is a problem with physical disks (using phy:/), just
wondering if the same stands with RAM

Thanks



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

I looked into this sometime this last year.  I believe the answer is
"no": the domain destruction routines will zero memory before handing
it back to Xen.

One potential data leak, however (last time I looked at this), is that
Xen does not scrub memory handed back by the balloon driver.  So if
the guest OS hasn''t scrubbed it, and it contains sensitive
information, it may end up being assigned to another domain as-is
(either via ballooning or start-of-day domain creation).  At the
moment that''s considered the guest''s responsibility.

 -George

On Mon, Dec 6, 2010 at 2:35 PM, Jonathan Tripathy <jonnyt@abpni.co.uk>
wrote:
> Hi Everyone,
>
> In Xen, is a DomU able to access data in RAM which a previous DomU has
> stored in the past, but didn''t "zero" it?
>
> I understand that this is a problem with physical disks (using phy:/), just
> wondering if the same stands with RAM
>
> Thanks
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Would one way around this be to disable ballooning in the DomUs?

At the minute, only my Dom0 can be ballooned, all DomU have a fixed 
memory size. Is this sufficient?

Thanks


On 06/12/10 14:49, George Dunlap wrote:
> I looked into this sometime this last year.  I believe the answer is
> "no": the domain destruction routines will zero memory before
handing
> it back to Xen.
>
> One potential data leak, however (last time I looked at this), is that
> Xen does not scrub memory handed back by the balloon driver.  So if
> the guest OS hasn''t scrubbed it, and it contains sensitive
> information, it may end up being assigned to another domain as-is
> (either via ballooning or start-of-day domain creation).  At the
> moment that''s considered the guest''s responsibility.
>
>   -George
>
> On Mon, Dec 6, 2010 at 2:35 PM, Jonathan Tripathy<jonnyt@abpni.co.uk>
wrote:
>> Hi Everyone,
>>
>> In Xen, is a DomU able to access data in RAM which a previous DomU has
>> stored in the past, but didn''t "zero" it?
>>
>> I understand that this is a problem with physical disks (using phy:/),
just
>> wondering if the same stands with RAM
>>
>> Thanks
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Just a few questions:

1) By saying "the guest''s responsibility", does this mean
that
CONFIG_XEN_SCRUB_PAGES=y is set in the DomU kernel config?

2) Also, if a DomU was shutdown by xm destroy, obviously the DomU 
wouldn’t scrub the RAM. However would Xen still scrub the RAM?

3) If the physical server was shutdown (e.g. plug pulled), I''m guessing
this will presetn a problem?

4) Why doesn''t Xen scrub the RAM before giving it to the DomU?

Thanks

On 06/12/10 14:49, George Dunlap wrote:
> I looked into this sometime this last year.  I believe the answer is
> "no": the domain destruction routines will zero memory before
handing
> it back to Xen.
>
> One potential data leak, however (last time I looked at this), is that
> Xen does not scrub memory handed back by the balloon driver.  So if
> the guest OS hasn''t scrubbed it, and it contains sensitive
> information, it may end up being assigned to another domain as-is
> (either via ballooning or start-of-day domain creation).  At the
> moment that''s considered the guest''s responsibility.
>
>   -George
>
> On Mon, Dec 6, 2010 at 2:35 PM, Jonathan Tripathy<jonnyt@abpni.co.uk>
wrote:
>> Hi Everyone,
>>
>> In Xen, is a DomU able to access data in RAM which a previous DomU has
>> stored in the past, but didn''t "zero" it?
>>
>> I understand that this is a problem with physical disks (using phy:/),
just
>> wondering if the same stands with RAM
>>
>> Thanks
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 06/12/2010 07:35, "Jonathan Tripathy" <jonnyt@abpni.co.uk>
wrote:
> Just a few questions:
> 
> 1) By saying "the guest''s responsibility", does this
mean that
> CONFIG_XEN_SCRUB_PAGES=y is set in the DomU kernel config?
Yes.
> 2) Also, if a DomU was shutdown by xm destroy, obviously the DomU
> wouldn¹t scrub the RAM. However would Xen still scrub the RAM?
Xen always scrubs memory on behalf of a dead domain.
> 3) If the physical server was shutdown (e.g. plug pulled), I''m
guessing
> this will presetn a problem?
Xen scrubs all memory during boot, unless told not to via a boot parameter.
> 4) Why doesn''t Xen scrub the RAM before giving it to the DomU?
It does in the above circumstances. Otherwise it is up to the domU, and why
not.

 -- Keir
> Thanks
> 
> On 06/12/10 14:49, George Dunlap wrote:
>> I looked into this sometime this last year.  I believe the answer is
>> "no": the domain destruction routines will zero memory before
handing
>> it back to Xen.
>> 
>> One potential data leak, however (last time I looked at this), is that
>> Xen does not scrub memory handed back by the balloon driver.  So if
>> the guest OS hasn''t scrubbed it, and it contains sensitive
>> information, it may end up being assigned to another domain as-is
>> (either via ballooning or start-of-day domain creation).  At the
>> moment that''s considered the guest''s responsibility.
>> 
>>   -George
>> 
>> On Mon, Dec 6, 2010 at 2:35 PM, Jonathan
Tripathy<jonnyt@abpni.co.uk>  wrote:
>>> Hi Everyone,
>>> 
>>> In Xen, is a DomU able to access data in RAM which a previous DomU
has
>>> stored in the past, but didn''t "zero" it?
>>> 
>>> I understand that this is a problem with physical disks (using
phy:/), just
>>> wondering if the same stands with RAM
>>> 
>>> Thanks
>>> 
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>> 
>>> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Xen always scrubs memory on behalf of a dead domain.
>
>> 3) If the physical server was shutdown (e.g. plug pulled), I''m
guessing
>> this will presetn a problem?
> Xen scrubs all memory during boot, unless told not to via a boot parameter.
>
Now this bit of code makes me happy!

Just wondering, if Xen scrubs all memory during boot, why is booting the 
Hypervisor so fast? My machine has 8GB of RAM and starts nice and snappy..
>> 4) Why doesn''t Xen scrub the RAM before giving it to the DomU?
> It does in the above circumstances. Otherwise it is up to the domU, and why
> not.
>
I think that with the on-booting and the on-destroy scrubbing, my 4) 
point above is moot :)

Cheers

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 06/12/2010 08:31, "Jonathan Tripathy" <jonnyt@abpni.co.uk>
wrote:
>>> 3) If the physical server was shutdown (e.g. plug pulled),
I''m guessing
>>> this will presetn a problem?
>> Xen scrubs all memory during boot, unless told not to via a boot
parameter.
>> 
> Now this bit of code makes me happy!
> 
> Just wondering, if Xen scrubs all memory during boot, why is booting the
> Hypervisor so fast? My machine has 8GB of RAM and starts nice and snappy..
It probably takes just a couple of seconds to scrub 8GB. Xen does the
scrubbing immediately before starting dom0, and you should see it say
''Scrubbing RAM...'' and extra dots continur to appear until
scrubbing is
complete.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 06/12/10 16:52, Keir Fraser wrote:
> On 06/12/2010 08:31, "Jonathan
Tripathy"<jonnyt@abpni.co.uk>  wrote:
>
>>>> 3) If the physical server was shutdown (e.g. plug pulled),
I''m guessing
>>>> this will presetn a problem?
>>> Xen scrubs all memory during boot, unless told not to via a boot
parameter.
>>>
>> Now this bit of code makes me happy!
>>
>> Just wondering, if Xen scrubs all memory during boot, why is booting
the
>> Hypervisor so fast? My machine has 8GB of RAM and starts nice and
snappy..
> It probably takes just a couple of seconds to scrub 8GB. Xen does the
> scrubbing immediately before starting dom0, and you should see it say
> ''Scrubbing RAM...'' and extra dots continur to appear
until scrubbing is
> complete.
>
>   -- Keir
>
I guess in my head I''m comparing RAM scrubbing to dd if=/dev/zero,
which
takes longer as it''s usually to disk

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

>>> On 06.12.10 at 17:52, Keir Fraser <keir@xen.org> wrote:
> On 06/12/2010 08:31, "Jonathan Tripathy"
<jonnyt@abpni.co.uk> wrote:
> 
>>>> 3) If the physical server was shutdown (e.g. plug pulled),
I''m guessing
>>>> this will presetn a problem?
>>> Xen scrubs all memory during boot, unless told not to via a boot
parameter.
>>> 
>> Now this bit of code makes me happy!
>> 
>> Just wondering, if Xen scrubs all memory during boot, why is booting
the
>> Hypervisor so fast? My machine has 8GB of RAM and starts nice and
snappy..
> 
> It probably takes just a couple of seconds to scrub 8GB. Xen does the
Plus it doesn''t scrub the memory assigned to Dom0.
> scrubbing immediately before starting dom0, and you should see it say
> ''Scrubbing RAM...'' and extra dots continur to appear
until scrubbing is
> complete.
Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

3) If the physical server was shutdown (e.g. plug pulled), I''m
guessing
>>>>> this will presetn a problem?
>>>> Xen scrubs all memory during boot, unless told not to via a
boot parameter.
>>>>
>>> Now this bit of code makes me happy!
>>>
>>> Just wondering, if Xen scrubs all memory during boot, why is
booting the
>>> Hypervisor so fast? My machine has 8GB of RAM and starts nice and
snappy..
>> It probably takes just a couple of seconds to scrub 8GB.
> Plus it doesn''t scrub the memory assigned to Dom0.
>
Doesn''t this mean that if Dom0 releases some memory back to Xen, then 
Xen gives it to another domain, data leakage could occur?

Would one way to prevent this be to disable ballooning?

Thanks

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 06/12/10 17:12, Jonathan Tripathy wrote:
> 3) If the physical server was shutdown (e.g. plug pulled), I''m
guessing
>>>>>> this will presetn a problem?
>>>>> Xen scrubs all memory during boot, unless told not to via a
boot
>>>>> parameter.
>>>>>
>>>> Now this bit of code makes me happy!
>>>>
>>>> Just wondering, if Xen scrubs all memory during boot, why is 
>>>> booting the
>>>> Hypervisor so fast? My machine has 8GB of RAM and starts nice
and
>>>> snappy..
>>> It probably takes just a couple of seconds to scrub 8GB.
>> Plus it doesn''t scrub the memory assigned to Dom0.
>>
> Doesn''t this mean that if Dom0 releases some memory back to Xen,
then
> Xen gives it to another domain, data leakage could occur?
>
> Would one way to prevent this be to disable ballooning?
Silly me, Dom0 should scrub the RAM before releasing it back to Xen, as 
mentioned in previous post!

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

If you enable the "Scrub RAM before freeing it to XEN" in your DomU
kernel, it is always overwritten with (I assume random) data before the
pages are returned to the pool of free memory. This should also apply on
memory freed by shrinking operations (xm mem-set ...) and of course on
DomU shutdown.

You should always enable this option, because cryptographic keys,
private data etc. would rest in XEN''s memory until either another DomU
gets it (and can read that) or the Dom0 shuts down (reboot sometimes
even preserves RAM, but the hypervisor is scrubbing all RAM which is not
assigned to the Dom0, to prevent readable traces after hard resets etc.).

With correct kernel configuration, the DomU memory should be totally safe.

Am 06.12.2010 11:17, schrieb Jonathan Tripathy:
>
> Hi Everyone,
>
> In Xen, is a DomU able to access data in RAM which a previous DomU has
> stored in the past, but didn''t "zero" it?
>
> I understand that this is a problem with physical disks (using phy:/),
> just wondering if the same stands with RAM
>
> Thanks
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users