[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability



>>> On 31.01.17 at 16:11, <george.dunlap@xxxxxxxxxx> wrote:
> OK, I've rewritten the section thus:
> 
> ---
> 
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.
> 
> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vunlerable".  But this is not always so:
> for instance, a bug in the Xen instruction emulator might allow a
> guest user to attack the guest kernel, *if* the guest kernel behaves
> in a certain way, but not if it behaves in other ways.
> 
> In such a case, the Xen Security Team will pro-actively investigate
> the vulnerability of the following open-source operating systems:
> Linux, OpenBSD, FreeBSD, and NetBSD.  The security team will also make
> an effort to investigate the vulnerability of Microsoft Windows.  If
> we are reasonably certain that none of these operating systems are
> vulnerable, and there are no other operating systems known to be
> vulnerable, then no advisory will be issued.
> 
> (An example of this scenario is XSA-176: There was a bug in the
> handling of the pagetable PS bits for L3 and L4; but no known
> operating systems were vulnerable to an exploit as a result of the
> bug.  Under these guidelines, XSA-176 would not have been issued.)
> 
> ---
> 
> Essentially, the promise is that we will investigate Windows (along
> with others), and issue an advisory unless we are "reasonably certain"
> that none of them are vulnerable.
> 
> If there are no objections to this I'll write up a second version and
> put it in a blog post in a few days here to make sure it gets broader
> visibility within the community.

Thanks, looks good to me now.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.