From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dave Feustel <dfeustel@mindspring.com>
Subject: Re: Is Xen affected by this x86 hardware security hole?
Date: Tue, 02 May 2006 12:18:54 -0500
Message-ID: <200605021218.55288.dfeustel@mindspring.com>
References: <200605020902.37624.dfeustel@mindspring.com>
	<200605020954.36776.dfeustel@mindspring.com>
	<200605021646.01099.mark.williamson@cl.cam.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-reply-to: <200605021646.01099.mark.williamson@cl.cam.ac.uk>
Content-disposition: inline
List-Unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: xen-devel@lists.xensource.com
Cc: Ian Pratt <m+Ian.Pratt@cl.cam.ac.uk>, Mark Williamson <mark.williamson@cl.cam.ac.uk>
List-Id: xen-devel@lists.xenproject.org

On Tuesday 02 May 2006 10:46, Mark Williamson wrote:
> > Thanks for the resonses.
> >
> > For those interested in the gory details of a proof-of-concept exploit,
> > it's all laid out in the 16-page pdf by Loic Duflot:
> >
> > http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot-paper
> >.pdf
> 
> Ah, interesting.
> 
> It turns out this exploit is something new, in that it's not something I'd 
> heard of before.  But it looks mostly interesting to OpenBSD.  Why?  Because 
> OpenBSD has more sane controls on the X Server than Linux, and so the fact 
> that it can elevate privileges is worrysome.  Since on Linux it (often) runs 
> with superuser privileges anyhow, this attack isn't the main problem...
> 
> Their exploit *does* show that mmap of the video ram, combined with the 
> ability to access IO port 0xB2 is enough for a root exploit...  I don't know 
> if fbdev is restrictive enough to prevent this - OBSD have obviously tried to 
> minimise X11's privileges and still found it circumventable.
> 
> Nevertheless, Xen offers confinement.  Also, as Keir pointed out, there are 
> stricter restrictions on what even dom0 can do (and these can be made even 
> more strict).
> 
> Cheers,
> Mark

If it turns out that Xen has the capability to prevent this exploit in virtualized operating systems,
that capability could become a big inducement to use Xen all the time - certainly in my case.

-- 
Lose, v., experience a loss, get rid of, "lose the weight"
Loose, adj., not tight, let go, free, "loose clothing"