[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] Security Implications of letting customers use theirown kernel
On Thu, Dec 16, 2010 at 3:51 AM, James Harper <james.harper@xxxxxxxxxxxxxxxx> wrote:An area of potential concern is if someone were to build a kernel that enabled "No Execute" or "Disable Execution", could that compromiseotherDomUs? Or would that just leave their DomU vulnerable to running malicious code?I assume you mean a kernel that *disabled* No-Execute?
Given that Xen is used in many hosting companies around the world, such as Amazon, isn't this alarming?No -- Xen should isolate decisions of individual VMs from each other (if the NX bit can be disabled from a PV kernel at all -- I'm not sure about that). That said, developers certainly *aim* to make it the case that a DomU cannot crash or gain access to Xen or Dom0 (or affect other security measures, like NX, in any way). However, as far as I'm aware, there is no testing or auditing done to verify this.
And as James H. said, buggy DomU drivers do occasionally crash dom0: and if untrusted code can accidentally crash privileged code, it's often the case that a well-crafted exploit can use the same bug to gain control of the privileged code. -George
_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
Lists.xenproject.org is hosted with RackSpace, monitoring our