30 messages in com.xensource.lists.xen-develRe: [Xen-devel] [PATCH][ACM] kernel e...| From | Sent On | Attachments |
|---|---|---|
| Bryan D. Payne | 24 Jul 2006 09:23 |  .diff |
| Keir Fraser | 24 Jul 2006 10:28 | |
| Bryan D Payne | 24 Jul 2006 13:09 | |
| Reiner Sailer | 24 Jul 2006 17:20 | |
| Keir Fraser | 25 Jul 2006 02:52 | |
| Bryan D Payne | 25 Jul 2006 10:45 | |
| Steven Hand | 25 Jul 2006 11:48 | |
| Mike D. Day | 26 Jul 2006 06:25 | |
| Keir Fraser | 26 Jul 2006 06:49 | |
| Reiner Sailer | 26 Jul 2006 08:47 | |
| Mike D. Day | 26 Jul 2006 10:45 | |
| Keir Fraser | 26 Jul 2006 11:06 | |
| Mike D. Day | 26 Jul 2006 11:23 | |
| Andrew Warfield | 26 Jul 2006 11:49 | |
| Reiner Sailer | 26 Jul 2006 14:21 | |
| Harry Butterworth | 26 Jul 2006 15:22 | |
| Reiner Sailer | 26 Jul 2006 15:51 | |
| Andrew Warfield | 26 Jul 2006 16:04 | |
| Harry Butterworth | 26 Jul 2006 18:40 | |
| Harry Butterworth | 27 Jul 2006 02:41 | |
| Reiner Sailer | 27 Jul 2006 08:37 | |
| Harry Butterworth | 27 Jul 2006 09:26 | |
| Harry Butterworth | 27 Jul 2006 09:36 | |
| Reiner Sailer | 27 Jul 2006 09:58 | |
| Harry Butterworth | 27 Jul 2006 10:06 | |
| Harry Butterworth | 27 Jul 2006 10:18 | |
| Reiner Sailer | 27 Jul 2006 10:38 | |
| Harry Butterworth | 27 Jul 2006 10:43 | |
| Reiner Sailer | 27 Jul 2006 10:52 | |
| Harry Butterworth | 27 Jul 2006 11:37 |
| Subject: | Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver |
|---|---|
| From: | Keir Fraser (Keir...@cl.cam.ac.uk) |
| Date: | 07/26/2006 11:06:38 AM |
| List: | com.xensource.lists.xen-devel |
On 26 Jul 2006, at 18:46, Mike D. Day wrote:
If an attacker has access to the control plane (essentially anything with root privileges in domain0) what is to stop him from creating his own domain, with security credentials allowing it to communicate with domains A and B, and with its own proxy comms driver for circumventing any Xen checks that are intended to prevent communication between A and B?
It's all about defense in depth. It shouldn't be possible for a privilege escalation on dom0 to automatically compromise all the running domains. There should be hypervisor-level access control that authorizes changes to the access policy of a running domU. With the ability to store domain configuration remotely (coming in xend) we can then prevent a privilege escalation and a restart from compromising user domains.
Not sure I understand your answer, but if you have root on domain0 there's nothing to stop you circumventing xend entirely. The problem here is that dom0 is in the TCB: solutions might be either to lock down domain0 (very restricted remote access) to reduce risk of privilege escalation, or move the core control logic elsewhere (a mini-domain of some sort) and reduce the privileges of domain0 (the biggest part of the TCB). In the current situation with dom0: you show me a 'hack proof' set of access-control checks and I'm sure I can describe a workaround for a privileged attacker in dom0. For example, dom0 can map any other domain's memory, so it's trivial for an attacker to steal secrets.
-- Keir
_______________________________________________ Xen-devel mailing list Xen-...@lists.xensource.com http://lists.xensource.com/xen-devel