[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Possible to prevent dom0 accessing guest memory?

On Mon, Nov 14, 2016 at 3:29 PM, Andy Smith <andy@xxxxxxxxxxxxxx> wrote:
> Hi Andrew,
>
> On Mon, Nov 14, 2016 at 03:06:12PM +0000, Andrew Cooper wrote:
>> You have misunderstood a step.
>>
>> Dom0 can map all of guest memory.  This is how `xl dump-core` is
>> implemented, as well as how Qemu emulates devices for the guest.
>
> Ah, okay, thanks. That is what I feared.
>
> Due to details of the legal jurisdiction in which I operate, it
> would actually be useful to me to disable xl dump-core and be able
> to truthfully state that I do not know how to obtain a dump of a
> guest's memory. As it stands I do know that xl dump-core exists and
> I can be compelled to run it. I do not personally know how to write
> a program to do what xl dump-core does and would have no interest in
> finding out.
>
> But I appreciate that the more general concern would be an attacker
> who gains root access, and they could just run such a program, so I
> guess Xen developers would see little point in offering a way to
> disable dump-core.

I don't think we've had someone before ask us to remove functionality
so that they can't be ordered to run it; but if that would be of
service to some of our users, there's no inherent reason we couldn't
take a look to see how difficult it would be to implement.

So is the basic situation that you can be asked to run commands, but
that you can't be asked to implement new functionality, or re-compile
and reboot your host?

Removing the dump-core functionality from xl should be pretty
straightforward.  With very little effort I could send you a patch you
could apply locally that would simply delete the code which implements
that command in xl. It would also be simple enough to make a config
option that would disable building that command in xl.

Would either of those suffice?

There is probably a way to configure Xen to make it possible to build
domains while making a full dump-core difficult to implement even by a
motivated attacker; but that would be quite a bit more work (and very
bespoke to your own particular situation).

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.