[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xense-devel] Xen memory management



Mark,

Thank you for a quick reply. Your explanation is very helpful.

I am just wondering what does it take (including design modification) to
limit the global access to the whole table. I think every little action that
limits unnecessary sharing of resources among guest domains will help
achieve multi-level secure Xen that is included in Xen research roadmap. 

Thanks,

Myong  

-----Original Message-----
From: Mark Williamson [mailto:mark.williamson@xxxxxxxxxxxx] 
Sent: Thursday, February 16, 2006 9:28 AM
To: xense-devel@xxxxxxxxxxxxxxxxxxx; mkang@xxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] Xen memory management

> Xen interface manual describes the following:
> "Xen maintains a globally readable machine-to-physical table which
> records the mapping from machine page frames to pseudo-physical ones."
>
> The questions are:
> What does it mean by "globally readable"? Which hypercall is being used to
> access this table from a guest domain (or is there some other way to
access
> this table from a guest domain)?

It's mapped into a domain's address space.  (nb. this is x86 specific).  I 
can't remember where it's mapped, though...  Anyhow, the overhead of a 
hypercall isn't necessary to read it, it's just a single memory access.

The advantage here is that a domain can map a machine address back into a 
guest physical address by simply doing a table lookup.  This also means it 
can see the M2P mappings for all the other domains, but this doesn't really 
leak any information since it still can't see the memory contents of other 
domains.

It is, however, a channel by which malicious guests might theoretically 
exchange data whilst bypassing security checks.  This is only really an
issue 
in Mandatory Access Control systems, and even there there are liable to be 
many other covert channels too.

> Is it possible to read memory content of guest domain B (or domain 0) from
> guest domain A?

No.  On x86 you can only read memory if you can map it with the pagetables 
(i.e. no direct physical addressing).  You can therefore only read the
memory 
contents of another domain if you can create a pagetable mapping for that 
domain.  Xen validates any updates to the pagetables to make sure that they 
are safe, so a domain can't create arbitrary mappings to other domains - if 
it tries to make an illegal mapping, Xen won't allow the pagetable updates.

Cheers,
Mark

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!




_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.