[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: Exploiting XEN



Petersson, Mats wrote:

I guess that's a fair comment too. Dom0 is a large part of a Xen
environment, and if Dom0 is compromised, then Xen can't really do that
much to prevent the system from being crashed, subverted or other
malicious acts. But I believe Xen itself is "safe" from Dom0 being
compromised

It's not. Dom0 (or any IO domain) has direct access to DMA controllers. It can use DMA to overwrite the hypervisor's memory with arbitrary data.

It would be rather trivial for dom0 to escalate itself to ring 0 by simply locating the IDT, writing a new IDT to disk, and then doing a DMA read operation with the physical address of the IDT's.

Regards,

Anthony Liguori

 - but it's moot point, as Xen on it's own is about as useful
as a chocalte teapot.
But Xen isn't really the "culprit" in this scenario - it's the same
scenario for Linux (or whatever other OS we care to choose) without a
hypervisor.

--
Mats
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.