From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
Subject: Re: Fw: Xen on /. again
Date: Fri, 21 Jan 2005 00:48:58 +0000
Message-ID: <41F0517A.5080503@blueyonder.co.uk>
References: <OF4FD724E2.54054596-ON85256F8E.0069ACC1-85256F8E.006DA126@us.ibm.com> <41F02C8B.5010304@diku.dk> <200501202241.06631.maw48@cl.cam.ac.uk>
Reply-To: david.nospam.hopwood@blueyonder.co.uk
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-admin@lists.sourceforge.net>
In-Reply-To: <200501202241.06631.maw48@cl.cam.ac.uk>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: xen-devel@lists.sourceforge.net
List-Id: xen-devel@lists.xenproject.org

Mark Williamson wrote:
>>Also, I suppose you will wish to prevent covert channels between
>>domains, e.g. domains communicating using various timing attacks (I move
>>the disk head to the other end of the disk if I wish to tell you
>>something), or by allocating/freeing certains parts of memory.
>>
>>How much will you need to dumb down the VMs view of what is going on in
>>the machine to achieve this (not expose real time information, not
>>expose real page tables), and how much of a VMM will there be left when
>>you are done?
> 
> Well domains are not aware of each other's memory usage, so I wouldn't have 
> thought that allocation / exposing real page tables would matter.  (Except 
> dom0 can of course see everything if it wants).

Information about other domains' memory usage is leaked via the
hardware->physical mapping.

> Timing related attacks are somewhat trickier to eliminate covert channels in, 
> although some randomisation can limit the bandwidth.

Eliminating covert channels is completely infeasible. I don't see any
value in aiming for this. It's not a useful security property in most
circumstances.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl