[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Academic Project

To: dinesh chandrasekaran <dinesh_chan8@xxxxxxxxxxx>
From: Christian Leber <christian@xxxxxxxx>
Date: Thu, 5 Mar 2009 09:47:05 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 05 Mar 2009 00:47:31 -0800
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Wed, Mar 04, 2009 at 10:11:41PM +0530, dinesh chandrasekaran wrote:

Hi dinesh

>    Xen talks to the protection hardware behind which all the guest memory
>    exists.

The memory is mapped.

And i was wrong, the dom0 can't just access all memory in the system.

>    This is more secure because,
>    now if do the following you cannot extract any useful information
>    1) xm save Guest guest.dump (assuming a guest named "Guest" is already
>    running)
>     this would dump the guest memory into a file in the dom0 disk.
>    2) Strings on guest.dump

So encrypt it in the Xen kernel.

>    Since this guest.dump is encrypted by the protection hardware, and Xen
>    just informed that "dom0 is running",

That assumes that the dom0 always has to run alone on the machine, in 2009 the
minimum server has 8 cores (next year 12) and often more.

>    the encypted memory will only be released to dom0. This will be dumped
>    into s file in dom0 disk.

Ok, so by taking a step back and looking at the problem again, i think
you are basically facing two possibilities:

1.) The security of the Xen kernel is brocken
    -> You are lost, your hardware can't protect anything.

2.) The security of the Xen kernel is not brocke
    -> Why on earth hardware? What you can do in Verilog on an FPGA, can
       be done much more conveniently in C in the Xen kernel.
       (Don't get me wrong, I'm all pro building hardware.)

Encypting in hardware gets interesting again when you want to try to protect
against physical attacks to the system. (assuming very good case intrusion
detection)

>    > If not, then it controls at least some hardware that can do DMA
>    > and can this way access all the memory.
>    You are correct. I will have to figure out a way in future to protect
>    against such type of DMA attacks.

Well, solutions exist most likely in the form of IOMMUs.


Christian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- RE: [Xen-devel] Academic Project
  - From: dinesh chandrasekaran

References:
- RE: [Xen-devel] Academic Project
  - From: dinesh chandrasekaran
- Re: [Xen-devel] Academic Project
  - From: Christian Leber
- RE: [Xen-devel] Academic Project
  - From: dinesh chandrasekaran
- Re: [Xen-devel] Academic Project
  - From: Christian Leber
- RE: [Xen-devel] Academic Project
  - From: dinesh chandrasekaran
- Re: [Xen-devel] Academic Project
  - From: Christian Leber
- RE: [Xen-devel] Academic Project
  - From: dinesh chandrasekaran

Prev by Date: Re: [Xen-devel] [RFC] Use device path to assign devices to guest domain
Next by Date: Re: [Xen-devel] [rfc 00/18] ioemu: use devfn instead of slots as the unit for passthrough
Previous by thread: RE: [Xen-devel] Academic Project
Next by thread: RE: [Xen-devel] Academic Project
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.