From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Avi Kivity <avi@redhat.com>
Cc: Anthony Liguori <anthony@codemonkey.ws>, kvm@vger.kernel.org
Subject: Re: A few KVM security questions
Date: Mon, 07 Dec 2009 18:15:44 +0100 [thread overview]
Message-ID: <4B1D3840.1000801@invisiblethingslab.com> (raw)
In-Reply-To: <4B1D379C.9020407@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 1449 bytes --]
Avi Kivity wrote:
> On 12/07/2009 07:09 PM, Joanna Rutkowska wrote:
>>
>>> Also, you can use qemu to provide the backends to a Xen PV guest (see -M
>>> xenpv). The effect is that you are moving that privileged code from the
>>> kernel (netback/blkback) to userspace (qemu -M xenpv).
>>>
>>> In general, KVM tends to keep code in userspace unless absolutely
>>> necessary. That's a fundamental difference from Xen which tends to do
>>> the opposite.
>>>
>>>
>> But the difference is that in case of Xen one can *easily* move the
>> backends to small unprivileged VMs. In that case it doesn't matter the
>> code is in kernel mode, it's still only in an unprivileged domain.
>>
>>
>
> They're not really unprivileged, one can easily program the dma
> controller of their assigned pci card to read and write arbitrary host
> memory.
>
That's not true if you use VT-d.
>> Sandboxing a process in a monolithic OS, like Linux, is generally
>> considered unfeasible, for anything more complex than a hello world
>> program. The process<-> kernel interface seem to be just too fat. See
>> e.g. the recent Linux kernel overflows by Spender.
>>
>
> What about seccomp? You can easily simplify qemu to just a bunch of
> calculations served over a pipe.
>
But the qemu must somehow communicate with the external world too, no?
You said you provide e.g. net backend via the qemu process...
joanna.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 163 bytes --]
next prev parent reply other threads:[~2009-12-07 17:15 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-07 13:05 A few KVM security questions Joanna Rutkowska
2009-12-07 13:17 ` Avi Kivity
2009-12-07 13:30 ` Joanna Rutkowska
2009-12-07 13:38 ` Avi Kivity
2009-12-07 14:06 ` Joanna Rutkowska
2009-12-07 14:09 ` Avi Kivity
2009-12-07 16:44 ` Anthony Liguori
2009-12-07 17:09 ` Joanna Rutkowska
2009-12-07 17:13 ` Avi Kivity
2009-12-07 17:15 ` Joanna Rutkowska [this message]
2009-12-07 17:18 ` Avi Kivity
2009-12-07 17:33 ` Joanna Rutkowska
2009-12-07 18:34 ` Avi Kivity
2009-12-09 10:43 ` Pasi Kärkkäinen
2009-12-07 17:38 ` Anthony Liguori
2009-12-07 17:45 ` Joanna Rutkowska
[not found] ` <20091207181556.GM4679@tyrion.haifa.ibm.com>
2009-12-07 19:58 ` Anthony Liguori
2009-12-07 17:33 ` Anthony Liguori
2009-12-07 17:58 ` Joanna Rutkowska
2009-12-07 17:47 ` Daniel P. Berrange
2009-12-07 13:55 ` Joanna Rutkowska
2009-12-07 14:01 ` Avi Kivity
2009-12-07 16:47 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B1D3840.1000801@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.