Re: Fw: Xen on /. again - David Hopwood

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
To: xen-devel@lists.sourceforge.net
Subject: Re: Fw: Xen on /. again
Date: Fri, 21 Jan 2005 01:32:58 +0000	[thread overview]
Message-ID: <41F05BCA.7050208@blueyonder.co.uk> (raw)
In-Reply-To: <200501210055.05309.maw48@cl.cam.ac.uk>

Mark Williamson wrote:
>>Information about other domains' memory usage is leaked via the
>>hardware->physical mapping.
> 
> OK, I was forgetting about the domain memory reservation hypercalls.  It's 
> probably reasonable just to throw away ballooning functionality where this 
> might be a problem.
> 
> The main problem (as I see it) is going to be the network interface, whose 
> performance depends on page-flipping.  You can eliminate the security problem 
> without hiding machine address if you copy incoming packets but that's going 
> to hurt performance :-(
> 
>>>Timing related attacks are somewhat trickier to eliminate covert channels
>>>in, although some randomisation can limit the bandwidth.
>>
>>Eliminating covert channels is completely infeasible. I don't see any
>>value in aiming for this. It's not a useful security property in most
>>circumstances.
> 
> I agree it's not useful in the majority of circumstances.  If it's required it 
> can be implemented at a later date but the returns for the amount of time 
> invested are likely to be smaller.

It almost certainly can't be implemented at a later date. Even attempting
to do so (without really succeeding) would require significant incompatible
changes to the hypervisor interface.

The idea of limiting covert channels should have been abandoned when it
became clear that it isn't feasible without severely constraining the
efficiency and functionality of an operating system. Unfortunately it is
too interesting a problem, so a lot of effort has been essentially wasted
in research into this area, without ever coming up with any way to limit
the bandwidth to a useful extent. Attackers only need a very small
bandwidth to transmit many of the things that are most useful from their
point of view (cryptographic keys, passwords, compressed answers from a
program that can look at any amount of data), so claims about limiting the
bandwidth really just give a false sense of security.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

next prev parent reply	other threads:[~2005-01-21  1:32 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-19 19:57 Fw: Xen on /. again Trent Jaeger
2005-01-20 22:11 ` Jacob Gorm Hansen
2005-01-20 22:41   ` Mark Williamson
2005-01-20 23:30     ` Jacob Gorm Hansen
2005-01-21  0:14       ` Mark Williamson
2005-01-21  0:48     ` David Hopwood
2005-01-21  0:55       ` Mark Williamson
2005-01-21  1:32         ` David Hopwood [this message]
2005-01-21  1:38           ` Mark Williamson
2005-01-21  1:09       ` Reiner Sailer
2005-01-21  7:53       ` Steven Hand
2005-01-21  8:08         ` Steven Hand
2005-01-21  2:35     ` Jody Belka
2005-01-21 11:06       ` Mark A. Williamson
2005-01-21 11:22       ` Mark A. Williamson
2005-01-21 23:37         ` Jody Belka
2005-01-22 17:20           ` Mark Williamson
2005-01-22 18:16             ` Jody Belka
2005-01-23 17:52               ` Multiple netif device channels (was Fw: Xen on /. again) Mark Williamson
2005-01-25  0:32                 ` Jody Belka
2005-01-25 13:52                   ` Mark Williamson
2005-01-25 23:06                 ` Multiple netif device channels Jody Belka
2005-01-26 20:36                   ` Mark Williamson
2005-01-27  0:51                     ` Jody Belka
2005-01-27 14:00                       ` Jody Belka
2005-01-21  0:19   ` Fw: Xen on /. again Trent Jaeger
  -- strict thread matches above, loose matches on Subject: below --
2005-01-21  1:25 Ian Pratt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41F05BCA.7050208@blueyonder.co.uk \
    --to=david.nospam.hopwood@blueyonder.co.uk \
    --cc=xen-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.