[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem

To: Jan Beulich <JBeulich@xxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Wed, 22 Nov 2017 17:06:13 +0000
Cc: StefanoStabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 22 Nov 2017 17:06:31 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 11/22/2017 11:15 AM, Jan Beulich wrote:
>>>> On 21.11.17 at 19:19, <george.dunlap@xxxxxxxxxx> wrote:
>> xentrace I would argue for security support; I've asked customers to
>> send me xentrace data as part of analysis before.  I also know enough
>> about it that I'm reasonably confident the risk of an attack vector is
>> pretty low.
> 
> Knowing pretty little about xentrace I will trust you here. What I
> was afraid of is that generally anything adding overhead can have
> unintended side effects, the more with the - aiui - huge amounts of
> data this may produce.

The data is fundamentally limited by the size of the in-hypervisor
buffers.  Once those are full, the trace overhead shouldn't be
significantly different than having tracing disabled.  And regardless of
how big they are, the total amount of trace data will be limited by the
throughput of the dom0-based xentrace process writing to disk.  If the
throughput of that process is (say) 50MB/s, then the "steady state" of
trace creation will be the same (one way or another).  Or, at very most,
at the rate a single processor can copy data out of the in-hypervisor
buffers.

Back when I was using xentrace heavily, I regularly hit this limit, and
never had any stability issues.

I suppose with faster disks (SSDs?  SAN on a 40GiB NIC?) this limit will
be higher, but I still have trouble thinking that it would be
significantly more dangerous than, say, any other kind of domain 0 logging.

I mean, there may be something I'm missing; but I've just spent 10
minutes or so trying to brainstorm ways that an attacker could cause
problems on the system, and other than "fill the buffers with junk so
that the admin can't find what she's looking for".  Any other flaws
should be no more likely than from any other feature we expose to guests.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] [PATCH 01/16] Introduce skeleton SUPPORT.md
  - From: George Dunlap
- [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 07/13] x86/paravirt: Simplify ____PVOP_CALL()
Next by Date: Re: [Xen-devel] [PATCH 12/16] SUPPORT.md: Add Security-releated features
Previous by thread: Re: [Xen-devel] [PATCH 10/16] SUPPORT.md: Add Debugging, analysis, crash post-portem
Next by thread: [Xen-devel] [PATCH 07/16] SUPPORT.md: Add virtual devices common to ARM and x86
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.