Hi all, found some security related stuff on exporting pci devices (maybe nothing new) A few words ahead: I know that a normal admin never ever would configure a machine as I did during testing ;-) When I reconfigured my testing machine, I wanted to use a different NIC for my dom0. So I hid the old pci device from dom0 (to have it available for a domU) and dom0 used the device as eth0 that I wanted it to use. Bridging for that device was also configured. I accidentally forgot to apply those changes to the domU config which used the NIC as its eth0 before. So I started up all domUs. They all came up, also the conflicting one. I could use the NIC in dom0 and the respective domU. Tried to ping hosts from both domains and also downloaded stuff from the internet. When I shut down the domU it also crashed eth0 from dom0 (no wonder, same HW). The ethernet device was, as far as I know, the only thing that was affected. The network in dom0 could not be restarted. Xen-Linux itself ran on and I even could start new domains ;-) Next thing I tried was to see what effects there are, having two domUs using the same pci device. Trying to export a pci device to two domUs (without bridging) worked also, except that the domain that started first lost network completely while the second domU worked as expected. Shutting one of the domUs down crashed the whole machine. Had to reset it. As long as a privileged domU has a kernel that supports for example NIC pci access, it is not even necessary to hide pci devices from dom0. A simple parameter (pci = [''00,03,00'']) in the domU config is enough to lead to undefined and unwanted behaviour. Maybe someone finds a way to abuse such behaviour? Does it pose a possible security threat or can this issue just be disregarded? I think there should be some kind of check, when starting up a domain of whether a pci device is already in use. There is for example a check of wether the pci export has the right format before creating a domain. Maybe some kind of list in the xend-daemon could do the trick. If a domain gets started a test on that list could be performed. If a device is listed in here, it''s in use and the new domain won''t be created. Another question is, can I still speak of complete virtualization if domains have the possibility to access hw directly? (e.g. two domUs with each having their own properly configured ethernet device? Not as described above ;-)) Regards, Andreas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi again, I am sorry, forgot to mention the Xen-Version. It''s the actual xen-2.0.7 from yesterday. Regards Andreas Seuss wrote:>Hi all, > >found some security related stuff on exporting pci devices (maybe >nothing new) >A few words ahead: I know that a normal admin never ever would configure >a machine as I did during testing ;-) > >When I reconfigured my testing machine, I wanted to use a different NIC >for my dom0. So I hid the old pci device from dom0 (to have it available >for a domU) and dom0 used the device as eth0 that I wanted it to use. >Bridging for that device was also configured. I accidentally forgot to >apply those changes to the domU config which used the NIC as its eth0 >before. > >So I started up all domUs. They all came up, also the conflicting one. I >could use the NIC in dom0 and the respective domU. Tried to ping hosts >from both domains and also downloaded stuff from the internet. When I >shut down the domU it also crashed eth0 from dom0 (no wonder, same HW). >The ethernet device was, as far as I know, the only thing that was >affected. The network in dom0 could not be restarted. Xen-Linux itself >ran on and I even could start new domains ;-) > >Next thing I tried was to see what effects there are, having two domUs >using the same pci device. > >Trying to export a pci device to two domUs (without bridging) worked >also, except that the domain that started first lost network completely >while the second domU worked as expected. Shutting one of the domUs down >crashed the whole machine. Had to reset it. > >As long as a privileged domU has a kernel that supports for example NIC >pci access, it is not even necessary to hide pci devices from dom0. A >simple parameter (pci = [''00,03,00'']) in the domU config is enough to >lead to undefined and unwanted behaviour. > >Maybe someone finds a way to abuse such behaviour? Does it pose a >possible security threat or can this issue just be disregarded? > >I think there should be some kind of check, when starting up a domain of >whether a pci device is already in use. There is for example a check of >wether the pci export has the right format before creating a domain. >Maybe some kind of list in the xend-daemon could do the trick. If a >domain gets started a test on that list could be performed. If a device >is listed in here, it''s in use and the new domain won''t be created. > >Another question is, can I still speak of complete virtualization if >domains have the possibility to access hw directly? (e.g. two domUs with >each having their own properly configured ethernet device? Not as >described above ;-)) > >Regards, Andreas > >_______________________________________________ >Xen-users mailing list >Xen-users@lists.xensource.com >http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Friday 05 August 2005 11:10, Andreas Seuss wrote:> >Maybe someone finds a way to abuse such behaviour? Does it pose a > >possible security threat or can this issue just be disregarded?Well, domains with hardware access can''t really be made secure, and IIRC the documentation also tells so.. Just imagine a busmaster capable PCI device: the domU with access to it could instruct it to overwrite arbitrary memory locations, even inside the hypervisor. So unless the hypervisor traps ALL hardware accesses, and checks them for validity (which would require xen to know everything about all hardware to be used, ...) before executing, a malicious domain with hardware access can always crash the system... That approach would be rather slow (about the speed of completely emulated hardware I''d suppose), so just exporting virtual devices from a driver domain is way easier (and probably much faster) if you need protection from malicious domUs Maybe the hardware support for virtualization in the next generation CPUs will provide a solution there... /Ernst _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users