[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] sHype Hypervisor Security Architecture for Xen


  • To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
  • From: Reiner Sailer <sailer@xxxxxxxxxx>
  • Date: Fri, 21 Jan 2005 09:13:15 -0500
  • Delivery-date: Fri, 21 Jan 2005 14:16:27 +0000
  • List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
  • Sensitivity:


xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx wrote on 01/20/2005 08:32:58 PM:

> Mark Williamson wrote:
> >>Information about other domains' memory usage is leaked via the
> >>hardware->physical mapping.
> >
> > OK, I was forgetting about the domain memory reservation hypercalls.  It's
> > probably reasonable just to throw away ballooning functionality where this
> > might be a problem.
> >
> > The main problem (as I see it) is going to be the network interface, whose
> > performance depends on page-flipping.  You can eliminate the
> security problem
> > without hiding machine address if you copy incoming packets but
> that's going
> > to hurt performance :-(
> >
> >>>Timing related attacks are somewhat trickier to eliminate covert channels
> >>>in, although some randomisation can limit the bandwidth.
> >>
> >>Eliminating covert channels is completely infeasible. I don't see any
> >>value in aiming for this. It's not a useful security property in most
> >>circumstances.
> >
> > I agree it's not useful in the majority of circumstances.  If it's
> required it
> > can be implemented at a later date but the returns for the amount of time
> > invested are likely to be smaller.
>
> It almost certainly can't be implemented at a later date. Even attempting
> to do so (without really succeeding) would require significant incompatible
> changes to the hypervisor interface.
>
> The idea of limiting covert channels should have been abandoned when it
> became clear that it isn't feasible without severely constraining the
> efficiency and functionality of an operating system. Unfortunately it is
> too interesting a problem, so a lot of effort has been essentially wasted
> in research into this area, without ever coming up with any way to limit
> the bandwidth to a useful extent. Attackers only need a very small
> bandwidth to transmit many of the things that are most useful from their
> point of view (cryptographic keys, passwords, compressed answers from a
> program that can look at any amount of data), so claims about limiting the
> bandwidth really just give a false sense of security.
>
> --
> David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>
>
>
Hello,

it is quite understandable that many people are sceptical regarding covert
channels. But as Trent mentioned, we are not currently aiming to address covert
channels.  They are difficult to detect, difficult to assess, and sometimes very
difficult  to close. Worst of all, no matter how hard you work, you're never done
(at least you never know).

Of course, all security-relevant properties of a system, including covert channels,
are relevant to the context of the security architecture.  But as others have said in this
discussion, there are more important points to discuss about the security model for Xen.

What we have implemented is a security architecture that integrates a reference
monitor into a core hypervisor. The expected usage is to create "associated sets"
of partitions, where partitions inside the same set can efficiently cooperate
by using the existing inter-partition communication mechanisms. At the same
time, partitions not inside the same set -- i.e., each having different security
requirements -- shall be strongly isolated from each other by the hypervisor.

Accordingly, the flow of information between partitions belonging to
different "security domains" must be explicitly mediated to prevent
leakage of information (this is an important issue from a secrecy
viewpoint) or to prevent spreading of malicious code (this is an
important issue from any viewpoint because integrity is a basis
for secrecy as well).  We are targeting the hypervisor to enforce the
security policy because the extensive DOM0 seems too large to validate.

In summary, we are interested in minimizing covert channels only
as a consequence of the overall security architecture. Our major interest
for now is to describe our baseline security architecture and then work
out the details and configurations that seem reasonable to the Xen community.

Kindest regards

Reiner
__________________________________________________________
Reiner Sailer, Research Staff Member, Secure Systems Department
IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532
Phone: 914 784 6280  (t/l 863)  Fax: 914 784 6205, sailer@xxxxxxxxxx  
http://www.research.ibm.com/people/s/sailer/

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.