[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Questions about attacks on Xen

  • To: xen-devel@xxxxxxxxxxxxxxxxxxx
  • From: "W. Michael Petullo" <mike@xxxxxxxx>
  • Date: Thu, 12 Jan 2012 15:19:28 -0600
  • Delivery-date: Thu, 12 Jan 2012 21:19:57 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

I have some questions about attacks on Xen. I am preparing a paper for
an operating system we have built on top of Xen and I want to ensure
we have certain facts straight.  Among the things I have read include
"Xen and the Art of Virtualization" and the XOAR paper.

First, what power does Dom0 have? Of course I know that Dom0 manages
the other domains and has direct access to hardware. I know that Dom0
can not directly access the Xen hypervisor code in memory (except in
the case of attacks using DMA on IOMMU-less systems). But what about
Dom0 accessing DomU memory once the domain is running?

For isolation, our operating system encrypts all network traffic and disk
I/O. We have also postulated that we could do the same of keyboard/display
I/O. We can use vTPM to ensure trusted initialization. Are there other
attack vectors other than Dom0 handling memory destined to or from an I/O
device? Could Dom0 violate our DomU by directly accessing its memory? Are
there any facilities in Xen 4 for restricting this? Where could I read
more about this?

Thank you. I appreciate any responses, especially recommended reading.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.