Re: [Xen-devel] Critique of the Xen Security Process

[James Bulpin <James.Bulpin@xxxxxxxxxx>]

On Fri, Nov 06, 2015, Joanna Rutkowska wrote
> [snip] I was then asked to share some more
> thoughts about how I thought Xen could actually improve its security
> process [4].

Thanks Joanna for taking the time to put these thoughts into writing.
I think there are a number of actionable things here we should be taking
a look at as a community. Some of the key things from my perspective:

1. Fixing the use of the FETCHER in the build process (I know there has
already been some discussion around this as part of the Raisin work). In
the commercial Xen distribution I'm responsible for we actually replace
this mechanism and run in an isolated build environment; I'd like to see
this be the standard model.

2. "Disaggregating" the hypervisor makes a lot of sense. With Xen seeing
growth in embedded and client use-cases as well as the traditional server
and cloud ones it will increasingly be the case that some hypervisor
features are necessary in some cases and not in others. I certainly only
want my TCB to include stuff I really need.

3. Do we need to revisit entire old subsystems/features that have been
subject to years of incremental development? Perhaps a line item for Xen
4.7 could be a holistic review of the PV MM code. HVMLite may help in this
specific area longer term but PV (and some of our other older features)
are going to be around for a while yet.

4. Development/coding guidance and standards. This is something we need
anyway as we grow the community. We should consider more specific
guidance on defensive coding practices.

To maintainers and committers: perhaps some of these architectural
direction topics would be good discussions for an in-person dev meeting.

Cheers,
James


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel