Xen devel - Jun 2011 - Xen memory management

Hi,

Is there anybody who has some experience at memory management of Xen? I just
want to know whether Xen hypervisor will map memory from different VMs to
the same physical memory address, which is insecure. Thanks.

Regards,
Cong


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi David, 

At 18:59 -0400 on 22 Jun (1308769177), David Xu wrote:
> Is there anybody who has some experience at memory management of Xen? I
just
> want to know whether Xen hypervisor will map memory from different VMs to
> the same physical memory address
Yes; see page-sharing, grant tables, privileged foreign mappings &c. 
>, which is insecure.
Not if you do it right. :)  What exactly is your concern?

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Thanks. My concern is that if several VMs are mapped to same memory, one VM
may get something from the memory which has ever been used by another VM.
This may cause some secure problems.

Regards,
Cong

2011/6/23 Tim Deegan <Tim.Deegan@citrix.com>
> Hi David,
>
> At 18:59 -0400 on 22 Jun (1308769177), David Xu wrote:
> > Is there anybody who has some experience at memory management of Xen?
I
> just
> > want to know whether Xen hypervisor will map memory from different VMs
to
> > the same physical memory address
>
> Yes; see page-sharing, grant tables, privileged foreign mappings &c.
>
> >, which is insecure.
>
> Not if you do it right. :)  What exactly is your concern?
>
> Tim.
>
> --
> Tim Deegan <Tim.Deegan@citrix.com>
> Principal Software Engineer, Xen Platform Team
> Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 23/06/2011 23:08, David Xu wrote:
> Thanks. My concern is that if several VMs are mapped to same memory, 
> one VM may get something from the memory which has ever been used by 
> another VM. This may cause some secure problems.
>
>
>
Someone correct me if I''m wrong, but I''m pretty sure that a
DomU kernel
(If the flag is set correctly during compile time) will scrub (i.e. 
"zero") RAM first before releasing it to the Xen Hypervisor. Then 
hypervisor will then subsequently assign that bit of RAM to another domain.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Sounds good. Does Xen VMM can control the mapping between a part of memory
and cache line? That is to say I wander whether Xen can guarantee different
VMs will use different cache line. Thanks.

Regards,
Cong

2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
> **
>
> On 23/06/2011 23:08, David Xu wrote:
>
> Thanks. My concern is that if several VMs are mapped to same memory, one VM
> may get something from the memory which has ever been used by another VM.
> This may cause some secure problems.
>
>
>
>  Someone correct me if I''m wrong, but I''m pretty sure
that a DomU kernel
> (If the flag is set correctly during compile time) will scrub (i.e.
"zero")
> RAM first before releasing it to the Xen Hypervisor. Then hypervisor will
> then subsequently assign that bit of RAM to another domain.
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 24/06/2011 00:50, David Xu wrote:
>
> 2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk 
> <mailto:jonnyt@abpni.co.uk>>
>
>
>     On 23/06/2011 23:08, David Xu wrote:
>>     Thanks. My concern is that if several VMs are mapped to same
>>     memory, one VM may get something from the memory which has ever
>>     been used by another VM. This may cause some secure problems.
>>
>>
>>
>     Someone correct me if I''m wrong, but I''m pretty sure
that a DomU
>     kernel (If the flag is set correctly during compile time) will
>     scrub (i.e. "zero") RAM first before releasing it to the Xen
>     Hypervisor. Then hypervisor will then subsequently assign that bit
>     of RAM to another domain.
>
> Sounds good. Does Xen VMM can control the mapping between a part of 
> memory and cache line? That is to say I wander whether Xen can 
> guarantee different VMs will use different cache line. Thanks.
>
> Regards,
> Cong
Please don''t top post :)

I''m not a Xen dev, so it would be great if a dev could let me know if 
I''m talking rubbish or not. However from my very limited knowledge of 
how CPU caches work (which comes from basic single CPU, non VMM related 
system), common sense would tell me that the cache line would be 
different for each DomU, as a CPUs cache is inherently linked to main 
memory (RAM). I believe that the process used to access data from memory 
is abstracted by the CPU, so assuming that Xen prevents access to RAM 
from another DomU, I guess it would make sense to say that any data that 
is cached in the CPU is protected.

Then again, I could be completly wrong......



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On a shared-memory system with multi-core cpu, can one VM occupy all cache
and prevent other VMs using cache efficiently?

Thanks for reply from all of you. I am reading a paper which tells some
secure problem of Xen VMM. I am not familiar with something that is related
to those problems. So I really need your help. Of course, please feel free
to post your opinion. Anybody is welcome to have a discuss.

2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
> **
>
> On 24/06/2011 00:50, David Xu wrote:
>
>
>  2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
>
>>
>> On 23/06/2011 23:08, David Xu wrote:
>>
>> Thanks. My concern is that if several VMs are mapped to same memory,
one
>> VM may get something from the memory which has ever been used by
another VM.
>> This may cause some secure problems.
>>
>>
>>
>>  Someone correct me if I''m wrong, but I''m pretty sure
that a DomU kernel
>> (If the flag is set correctly during compile time) will scrub (i.e.
"zero")
>> RAM first before releasing it to the Xen Hypervisor. Then hypervisor
will
>> then subsequently assign that bit of RAM to another domain.
>>
>>  Sounds good. Does Xen VMM can control the mapping between a part of
> memory and cache line? That is to say I wander whether Xen can guarantee
> different VMs will use different cache line. Thanks.
>
>  Regards,
> Cong
>
>
> Please don''t top post :)
>
> I''m not a Xen dev, so it would be great if a dev could let me know
if I''m
> talking rubbish or not. However from my very limited knowledge of how CPU
> caches work (which comes from basic single CPU, non VMM related system),
> common sense would tell me that the cache line would be different for each
> DomU, as a CPUs cache is inherently linked to main memory (RAM). I believe
> that the process used to access data from memory is abstracted by the CPU,
> so assuming that Xen prevents access to RAM from another DomU, I guess it
> would make sense to say that any data that is cached in the CPU is
> protected.
>
> Then again, I could be completly wrong......
>
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Thu, Jun 23, 2011 at 8:37 PM, David Xu <davidxu06@gmail.com> wrote:
>  On a shared-memory system with multi-core cpu, can one VM occupy all cache
> and prevent other VMs using cache efficiently?
>
> Thanks for reply from all of you. I am reading a paper which tells some
> secure problem of Xen VMM. I am not familiar with something that is related
> to those problems. So I really need your help. Of course, please feel free
> to post your opinion. Anybody is welcome to have a discuss.
>
>
> 2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
>
>> **
>>
>> On 24/06/2011 00:50, David Xu wrote:
>>
>>
>>  2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
>>
>>>
>>> On 23/06/2011 23:08, David Xu wrote:
>>>
>>> Thanks. My concern is that if several VMs are mapped to same
memory, one
>>> VM may get something from the memory which has ever been used by
another VM.
>>> This may cause some secure problems.
>>>
>>>
>>>
>>>  Someone correct me if I''m wrong, but I''m pretty
sure that a DomU kernel
>>> (If the flag is set correctly during compile time) will scrub (i.e.
"zero")
>>> RAM first before releasing it to the Xen Hypervisor. Then
hypervisor will
>>> then subsequently assign that bit of RAM to another domain.
>>>
>>>  Sounds good. Does Xen VMM can control the mapping between a part
of
>> memory and cache line? That is to say I wander whether Xen can
guarantee
>> different VMs will use different cache line. Thanks.
>>
>>  Regards,
>> Cong
>>
>>
>> Please don''t top post :)
>>
>> I''m not a Xen dev, so it would be great if a dev could let me
know if I''m
>> talking rubbish or not. However from my very limited knowledge of how
CPU
>> caches work (which comes from basic single CPU, non VMM related
system),
>> common sense would tell me that the cache line would be different for
each
>> DomU, as a CPUs cache is inherently linked to main memory (RAM). I
believe
>> that the process used to access data from memory is abstracted by the
CPU,
>> so assuming that Xen prevents access to RAM from another DomU, I guess
it
>> would make sense to say that any data that is cached in the CPU is
>> protected.
>>
>> Then again, I could be completly wrong......
>>
>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>
Have a look at this:

http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf

_SDK


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi, 

At 21:37 -0400 on 23 Jun (1308865026), David Xu wrote:
>  On a shared-memory system with multi-core cpu, can one VM occupy all cache
> and prevent other VMs using cache efficiently?
*Please* don''t top-post. 

Xen currently has no mechanism to enforce fair use of the cache, though
its coarse-grained scheduling might help a bit.  Likewise there''s no
explicit defence against side-channel attacks based on cache timing.
I suspect both attacks are probably harder in a VMM than an OS, because
it''s hard to know when or where your target VCPU is running, but
I''ve
seen enough clever exploits not to claim it can''t be done!
> Thanks for reply from all of you. I am reading a paper which tells some
> secure problem of Xen VMM.
Can you share it with us, maybe?  Vulnerability reports are encouraged,
to the security@xen.org email address.  Our draft disclosure process is
here: 
http://lists.xensource.com/archives/html/xen-devel/2011-05/msg01591.html
> >> Thanks. My concern is that if several VMs are mapped to same
memory, one
> >> VM may get something from the memory which has ever been used by
another VM.
> >> This may cause some secure problems.
General VM memory is only shared
 - with privileged VMs (i.e. dom0);
 - with per-VM device-emulation VMs (which effectively live inside the 
   VM''s protection space) so they can emulate DMA; and 
 - with other VMs as specified by the owning VM''s ACL (grant tables).

Memory that is freed by a guest (e.g. when ballooning) must be scrubbed
by the guest before returning it.  The exception is domain destruction,
when the memory of the dead domain is scrubbed by Xen.

Cheers,

Tim.

-- 
Tim Deegan <Tim.Deegan@citrix.com>
Principal Software Engineer, Xen Platform Team
Citrix Systems UK Ltd.  (Company #02937203, SL9 0BG)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hi,

I''ve read that paper you sent to me before, and the paper I am reading
now
is truly related to that paper. The difference is that one is to create
covert  channels between cooperating processes running in different VMs, the
other is to infer something important of a victim VM from a attacking VM
according to detected cache activity.  However the paper I am reading does
not tell me how to trace the owner of the detected cache activity. Usually,
there are many VMs on one cloud server. And the vCPUs of those VMs are
frequently migrating among pCPUs. So the VM which shares LLC with the
attacking VM is indeterminate. I think only detecting some cache activity
without knowing its owner is not powerful.

Thanks,
Cong

2011/6/24 Srujan Kotikela <ksrujandas@gmail.com>
>
> On Thu, Jun 23, 2011 at 8:37 PM, David Xu <davidxu06@gmail.com>
wrote:
>
>>  On a shared-memory system with multi-core cpu, can one VM occupy all
>> cache and prevent other VMs using cache efficiently?
>>
>> Thanks for reply from all of you. I am reading a paper which tells some
>> secure problem of Xen VMM. I am not familiar with something that is
related
>> to those problems. So I really need your help. Of course, please feel
free
>> to post your opinion. Anybody is welcome to have a discuss.
>>
>>
>> 2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
>>
>>> **
>>>
>>> On 24/06/2011 00:50, David Xu wrote:
>>>
>>>
>>>  2011/6/23 Jonathan Tripathy <jonnyt@abpni.co.uk>
>>>
>>>>
>>>> On 23/06/2011 23:08, David Xu wrote:
>>>>
>>>> Thanks. My concern is that if several VMs are mapped to same
memory, one
>>>> VM may get something from the memory which has ever been used
by another VM.
>>>> This may cause some secure problems.
>>>>
>>>>
>>>>
>>>>  Someone correct me if I''m wrong, but I''m
pretty sure that a DomU
>>>> kernel (If the flag is set correctly during compile time) will
scrub (i.e.
>>>> "zero") RAM first before releasing it to the Xen
Hypervisor. Then hypervisor
>>>> will then subsequently assign that bit of RAM to another
domain.
>>>>
>>>>  Sounds good. Does Xen VMM can control the mapping between a
part of
>>> memory and cache line? That is to say I wander whether Xen can
guarantee
>>> different VMs will use different cache line. Thanks.
>>>
>>>  Regards,
>>> Cong
>>>
>>>
>>> Please don''t top post :)
>>>
>>> I''m not a Xen dev, so it would be great if a dev could let
me know if I''m
>>> talking rubbish or not. However from my very limited knowledge of
how CPU
>>> caches work (which comes from basic single CPU, non VMM related
system),
>>> common sense would tell me that the cache line would be different
for each
>>> DomU, as a CPUs cache is inherently linked to main memory (RAM). I
believe
>>> that the process used to access data from memory is abstracted by
the CPU,
>>> so assuming that Xen prevents access to RAM from another DomU, I
guess it
>>> would make sense to say that any data that is cached in the CPU is
>>> protected.
>>>
>>> Then again, I could be completly wrong......
>>>
>>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xensource.com
>> http://lists.xensource.com/xen-devel
>>
>>
> Have a look at this:
>
> http://cseweb.ucsd.edu/~hovav/dist/cloudsec.pdf
>
> _SDK
>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel