> Could someone please point me to a document that describes how the host
> protects isolates the virtual machine to prevent accessing information
> on other hosts. For example, preventing Domain 1 from looking at Domain
> 2''s memory space, hardware I/O, or network traffic (i.e.
promiscuous
> mode).
For PV guests, memory space is protected by the means of Xen validating each
pagetable update that''s made by a guest. This prevents a guest from
ever
generating a mapping that points to another guest.
For HVM guests, the pagetables are "shadowed" in order to virtualise
the
physical address space; this means that there''s actually no means for a
guest
to specify a mapping of another guest''s memory.
Grant tables are used to share memory in a secure, capability-based way.
IO is done through virtual interfaces, which are conventionally set up to
enforce isolation.
If you assign a physical PCI device to a guest then you throw away memory
isolation. A guest with physical PCI access could (in the face of a
sufficiently motivated attacker) own the whole host. So don''t do that
if
it''s security critical :-)
Network traffic I''m not quite familiar with enough to evaluate in
detail.
> Essentially, I want to be able to rate the isolation between wide
> open, and logically separate hardware.
Hope that helps some.
There are some descriptions of the workings here:
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html which may
illuminate too.
Cheers,
Mark
--
Dave: Just a question. What use is a unicyle with no seat? And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users