[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] Security Implications of letting customers use theirown kernel
On Thu, Dec 16, 2010 at 3:51 AM, James Harper
An area of potential concern is if someone were to build a kernel that
enabled "No Execute" or "Disable Execution", could that compromise
DomUs? Or would that just leave their DomU vulnerable to running
I assume you mean a kernel that *disabled* No-Execute?
Given that Xen is used in many hosting companies around the world, such
as Amazon, isn't this alarming?
No -- Xen
should isolate decisions of individual VMs from each other (if the NX
bit can be disabled from a PV kernel at all -- I'm not sure about
That said, developers certainly *aim* to make it the case that a DomU
cannot crash or gain access to Xen or Dom0 (or affect other security
measures, like NX, in any way).
However, as far as I'm aware, there
is no testing or auditing done to verify this.
And as James H. said,
buggy DomU drivers do occasionally crash dom0: and if untrusted code
can accidentally crash privileged code, it's often the case that a
well-crafted exploit can use the same bug to gain control of the
Xen-devel mailing list