Re: [PATCH][ACM] kernel enforcement of vbd policies via blkback driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Mike D. Day" <ncmike@us.ibm.com>
To: Keir Fraser <Keir.Fraser@cl.cam.ac.uk>
Cc: xen-devel@lists.xensource.com, Bryan D Payne <bdpayne@us.ibm.com>,
	Reiner Sailer <sailer@us.ibm.com>
Subject: Re: [PATCH][ACM] kernel enforcement of vbd policies via blkback driver
Date: Wed, 26 Jul 2006 14:24:06 -0400	[thread overview]
Message-ID: <44C7B346.60801@us.ibm.com> (raw)
In-Reply-To: <72656fa47f41a0522b47af0ad9496741@cl.cam.ac.uk>

Keir Fraser wrote:
> 
> On 26 Jul 2006, at 18:46, Mike D. Day wrote:
> 
>>> If an attacker has access to the control plane (essentially anything 
>>> with root privileges in domain0) what is to stop him from creating 
>>> his own domain, with security credentials allowing it to communicate 
>>> with domains A and B, and with its own proxy comms driver for 
>>> circumventing any Xen checks that are intended to prevent 
>>> communication between A and B?
>>
>> It's all about defense in depth. It shouldn't be possible for a 
>> privilege escalation on dom0 to automatically compromise all the 
>> running domains. There should be hypervisor-level access control that 
>> authorizes changes to the access policy of a running domU. With the 
>> ability to store domain configuration remotely (coming in xend) we can 
>> then prevent a privilege escalation and a restart from compromising 
>> user domains.
> 
> Not sure I understand your answer, but if you have root on domain0 
> there's nothing to stop you circumventing xend entirely. The problem 
> here is that dom0 is in the TCB: solutions might be either to lock down 

Eventually we need to make authorization role-based instead of just the 
superuser and everyone else. In addition the hypervisor should not 
automatically trust dom0. Also, running domains should not automatically 
trust dom0. I realize that this is a lot of evolution from now 
(including changes to the dom0 hypercalls) but putting access control 
hooks into the hypervisor and its drivers is a small step in this 
direction. Not arguing for accepting the patch today, just suggesting we 
start to think about a different approach.

Mike

> domain0 (very restricted remote access) to reduce risk of privilege 
> escalation, or move the core control logic elsewhere (a mini-domain of 
> some sort) and reduce the privileges of domain0 (the biggest part of the 
> TCB). In the current situation with dom0: you show me a 'hack proof' set 
> of access-control checks and I'm sure I can describe a workaround for a 
> privileged attacker in dom0. For example, dom0 can map any other 
> domain's memory, so it's trivial for an attacker to steal secrets.

next prev parent reply	other threads:[~2006-07-26 18:24 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <OF95F83550.BF987DA4-ON852571B5.006BF6EE-852571B5.006EC053@LocalDomain>
2006-07-25  0:21 ` [PATCH][ACM] kernel enforcement of vbd policies via blkback driver Reiner Sailer
2006-07-25  9:53   ` Keir Fraser
2006-07-25 17:45     ` Bryan D Payne
2006-07-25 18:48       ` Steven Hand
2006-07-26 13:25     ` Mike D. Day
2006-07-26 13:49       ` Keir Fraser
2006-07-26 15:47         ` Reiner Sailer
2006-07-26 17:46         ` Mike D. Day
2006-07-26 18:07           ` Keir Fraser
2006-07-26 18:24             ` Mike D. Day [this message]
2006-07-26 18:50               ` Andrew Warfield
2006-07-26 21:21                 ` Reiner Sailer
2006-07-26 22:23                 ` Harry Butterworth
2006-07-26 22:51                   ` Reiner Sailer
2006-07-27  9:41                     ` Harry Butterworth
2006-07-26 23:04                   ` Andrew Warfield
2006-07-27  1:40                     ` Harry Butterworth
2006-07-27 15:37                       ` Reiner Sailer
2006-07-27 16:26                         ` Harry Butterworth
2006-07-27 16:36                           ` Harry Butterworth
2006-07-27 16:58                             ` Reiner Sailer
2006-07-27 17:06                               ` Harry Butterworth
2006-07-27 17:19                                 ` Harry Butterworth
2006-07-27 17:53                                   ` Reiner Sailer
2006-07-27 18:38                                     ` Harry Butterworth
2006-07-27 17:38                                 ` Reiner Sailer
2006-07-27 17:43                                   ` Harry Butterworth
2006-07-24 16:23 Bryan D. Payne
2006-07-24 17:28 ` Keir Fraser
2006-07-24 20:09   ` Bryan D Payne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44C7B346.60801@us.ibm.com \
    --to=ncmike@us.ibm.com \
    --cc=Keir.Fraser@cl.cam.ac.uk \
    --cc=bdpayne@us.ibm.com \
    --cc=sailer@us.ibm.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.