From: Avi Kivity <avi@redhat.com>
To: Sasha Levin <levinsasha928@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
Ingo Molnar <mingo@elte.hu>, Pekka Enberg <penberg@kernel.org>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Asias He <asias.hejun@gmail.com>,
Anthony Liguori <anthony@codemonkey.ws>,
Rusty Russell <rusty@rustcorp.com.au>,
"Michael S. Tsirkin" <mst@redhat.com>, kvm <kvm@vger.kernel.org>
Subject: Re: Secure KVM
Date: Mon, 07 Nov 2011 11:26:53 +0200 [thread overview]
Message-ID: <4EB7A45D.1030600@redhat.com> (raw)
In-Reply-To: <1320612020.3299.22.camel@lappy>
On 11/06/2011 10:40 PM, Sasha Levin wrote:
> Hi all,
>
> I'm planning on doing a small fork of the KVM tool to turn it into a
> 'Secure KVM' enabled hypervisor. Now you probably ask yourself, Huh?
Actually, no.
> The idea was discussed briefly couple of months ago, but never got off
> the ground - which is a shame IMO.
>
> It's easy to explain the problem: If an attacker finds a security hole
> in any of the devices which are exposed to the guest, the attacker would
> be able to either crash the guest, or possibly run code on the host
> itself.
Crashing the guest is fine (not 100% - you can have unprivileged code
managing a device, in which case we allow unprivileged code to crash the
entire guest - but that's rare). Running code on the host is also fine;
we have a permissions system in place to prevent damage; see libvirt's
sVirt code, which uses selinux to disallow an exploited guest from
touching other guests or host data. It should be able to protect
host-only networks as well (not sure if it does that).
The real risk is that the exploited hypervisor turns around and exploits
yet another hole in the system, like a privileged daemon that the
hypervisor is allowed to be in contact with, or the kernel itself, via a
vulnerability in the kernel interfaces.
> The solution is also simple to explain: Split the devices into different
> processes and use seccomp to sandbox each device into the exact set of
> resources it needs to operate, nothing more and nothing less.
One thing to beware of is memory hotplug. If the memory map is static,
then a fork() once everything is set up (with MAP_SHARED) alllows all
processes to access guest memory. However, if memory hotplug is
supported (or planned to be supported), then you can't do that, as
seccomp doesn't allow you to run mmap() in confined processes.
This means they have to use RPC to the main process in order to access
memory, which is going to slow them down significantly.
> Since I'll be basing it on the KVM tool, which doesn't really emulate
> that many legacy devices, I'll focus first on the virtio family for the
> sake of simplicity (and covering 90% of the options).
Since virtio is so performance sensitive, my feeling is that it is
better to audit it, and rely on sandboxing for the non performance
sensitive parts of the device model. Of course for a POC it's fine to
start with it.
> This is my basic overview of how I'm planning on implementing the
> initial POC:
<snip plan>
> Thats all I have for now, comments are *very* welcome.
This plan is quite similar to the equivalent plans for qemu. However,
as kvm-tool is much smaller than qemu, you're likely to have much easier
time and make much faster progress. This is really a great use of
kvm-tool, to explore new ideas rather than catching up; and I'm sure
your experience will prove useful for qemu as well.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2011-11-07 9:27 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-06 20:40 Secure KVM Sasha Levin
2011-11-07 0:07 ` Rusty Russell
2011-11-07 6:29 ` Sasha Levin
2011-11-07 6:37 ` Pekka Enberg
2011-11-07 6:46 ` Sasha Levin
2011-11-07 7:03 ` Pekka Enberg
2011-11-07 22:49 ` Rusty Russell
2011-11-07 9:26 ` Avi Kivity [this message]
2011-11-07 10:17 ` Sasha Levin
2011-11-07 10:27 ` Avi Kivity
2011-11-07 11:27 ` Stefan Hajnoczi
2011-11-07 12:40 ` Sasha Levin
2011-11-07 12:51 ` Avi Kivity
2011-11-07 14:56 ` Stefan Hajnoczi
2011-11-07 17:43 ` Anthony Liguori
2011-11-07 18:41 ` Avi Kivity
2011-11-07 17:39 ` Anthony Liguori
2011-11-07 18:43 ` Avi Kivity
2011-11-07 19:07 ` Anthony Liguori
2011-11-07 19:54 ` Avi Kivity
2011-11-07 22:56 ` Rusty Russell
2011-11-07 17:37 ` Anthony Liguori
2011-11-07 17:52 ` Sasha Levin
2011-11-07 18:03 ` [Qemu-devel] " Anthony Liguori
2011-11-07 23:06 ` Rusty Russell
2011-11-08 19:51 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EB7A45D.1030600@redhat.com \
--to=avi@redhat.com \
--cc=aarcange@redhat.com \
--cc=anthony@codemonkey.ws \
--cc=asias.hejun@gmail.com \
--cc=gorcunov@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=levinsasha928@gmail.com \
--cc=mingo@elte.hu \
--cc=mst@redhat.com \
--cc=mtosatti@redhat.com \
--cc=penberg@kernel.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox