[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security Implications of letting customers use theirown kernel



On Thu, Dec 16, 2010 at 3:51 AM, James Harper
<james.harper@xxxxxxxxxxxxxxxx>  wrote:

An area of potential concern is if someone were to build a kernel that
enabled "No Execute" or "Disable Execution", could that compromise

other

DomUs? Or would that just leave their DomU vulnerable to running
malicious code?

I assume you mean a kernel that *disabled* No-Execute?

Yes, sorry

No -- Xen
should isolate decisions of individual VMs from each other (if the NX
bit can be disabled from a PV kernel at all -- I'm not sure about
that).

That said, developers certainly *aim* to make it the case that a DomU
cannot crash or gain access to Xen or Dom0 (or affect other security
measures, like NX, in any way).
However, as far as I'm aware, there
is no testing or auditing done to verify this.
Given that Xen is used in many hosting companies around the world, such as Amazon, isn't this alarming? 
And as James H. said,
buggy DomU drivers do occasionally crash dom0: and if untrusted code
can accidentally crash privileged code, it's often the case that a
well-crafted exploit can use the same bug to gain control of the
privileged code.

  -George


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel