From: Ahmed Azab <amazab@ncsu.edu>
To: xen-devel@lists.xensource.com
Subject: Xen Guest Memory Isolation
Date: Tue, 14 Apr 2009 18:16:41 -0400 [thread overview]
Message-ID: <49E50B49.7000706@ncsu.edu> (raw)
Hi All,
I have been inspecting Xen's security properties for a while and I have
some question regarding Guest page tables Isolation.
In para-virtualized guests. My understanding is (Please correct me if I
am wrong) that Xen achieves the isolation through (1) making all page
tables non-writable so that the guest have to ask Xen to do the update
through hypercalls and (2) having Xen validation each page-table update
to make sure domain X cannot access domain Y's memory.
Now by looking inside the code, I cannot see where does this happen. I
took a thorough look at the do_mmu_update hypercall and I observed that
the function extracts the new page table entry value directly from the
input parameter "req.val". Afterwards, it calls the function
mod_lX_entry() where X refers to the page table level.. These functions
in turn calls the macro Update_entry which calls the function
Update_intpte which probably ends up calling __copy_to_user or
compxchg_user directly to update the page table entry. As far as I
understand, all the observed path does not include any security checking.
MY QUESTIONS ARE:
1-Does Xen check that the passed value refers to a physical page that
really belongs to the calling domain? If yes, where is the code piece
that does that? If no, then what guarantees that the guest wont map a
page belonging to another guest?
2-If the guest is updating a higher level page table (l2 for example)
then the entry point to a lower level page table. Does Xen check that
the new cannot be rewritten by the guest? again where is the code or
what is the security guarantee?
3-Does Xen keep track of all page tables of a certain guest or it just
relies on the type_info value stored in the page data structure?
4-How does then guarantee that upon process switching the new cr3 value
will point to a page table that is protected by Xen?
One final thing. Can I force all guests (including para-virtualized ones
)to use shadow page tables?
Thanks,
Ahmed
next reply other threads:[~2009-04-14 22:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-14 22:16 Ahmed Azab [this message]
2009-04-15 8:34 ` Xen Guest Memory Isolation Tim Deegan
2009-05-07 19:39 ` x86 instruction emulation in hvm Emre Can Sezer
2009-05-07 20:50 ` Keir Fraser
2009-05-11 22:15 ` Emre Can Sezer
2009-05-12 7:57 ` Keir Fraser
2009-06-05 18:43 ` Interrupt for HVM guests Emre Can Sezer
2009-06-05 18:58 ` Keir Fraser
2009-06-08 19:24 ` Emre Can Sezer
2009-06-08 21:29 ` Keir Fraser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49E50B49.7000706@ncsu.edu \
--to=amazab@ncsu.edu \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.