Re: Secure KVM - Avi Kivity

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

From: Avi Kivity <avi@redhat.com>
To: Sasha Levin <levinsasha928@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Ingo Molnar <mingo@elte.hu>, Pekka Enberg <penberg@kernel.org>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Asias He <asias.hejun@gmail.com>,
	Anthony Liguori <anthony@codemonkey.ws>,
	Rusty Russell <rusty@rustcorp.com.au>,
	"Michael S. Tsirkin" <mst@redhat.com>, kvm <kvm@vger.kernel.org>
Subject: Re: Secure KVM
Date: Mon, 07 Nov 2011 12:27:53 +0200	[thread overview]
Message-ID: <4EB7B2A9.5020608@redhat.com> (raw)
In-Reply-To: <CA+1xoqdXO8-=aPEVOmZjNRwGY3yctFjyk0DnPAbd6+1aTWM8Zw@mail.gmail.com>

On 11/07/2011 12:17 PM, Sasha Levin wrote:
> Hi Avi,
>
> Thank you for your comments!
>
> Just one question below:
>
> On Mon, Nov 7, 2011 at 11:26 AM, Avi Kivity <avi@redhat.com> wrote:
> > Crashing the guest is fine (not 100% - you can have unprivileged code
> > managing a device, in which case we allow unprivileged code to crash the
> > entire guest - but that's rare).  Running code on the host is also fine;
>
> On Mon, Nov 7, 2011 at 11:26 AM, Avi Kivity <avi@redhat.com> wrote:
> > One thing to beware of is memory hotplug.  If the memory map is static,
> > then a fork() once everything is set up (with MAP_SHARED) alllows all
> > processes to access guest memory.  However, if memory hotplug is
> > supported (or planned to be supported), then you can't do that, as
> > seccomp doesn't allow you to run mmap() in confined processes.
> >
> > This means they have to use RPC to the main process in order to access
> > memory, which is going to slow them down significantly.
>
> Is the risk of a non-privileged guest code being able to exploit
> hypervisor to access guest memory which it's not allowed to access is
> really that small? I actually thought it would be one of the main
> concerns we'd need to handle, but from what I understand from you it's
> an irrelevant scenario.

I wouldn't say it's completely irrelevant.  But mainstream deployments
(Linux and Windows) don't really suffer from it, since all device
drivers are privilged (an exception may be graphics drivers on newer
Windows).  Scenarios which may be vulnerable are nested virtualization
with the guest using device assignment.

> If it's really the case, then mapping guest memory is preferable.
> While mmap() is an issue, I think it's a great example of why seccomp
> filters are needed in the kernel, and might be a good chance to push
> that feature forward. In that sense, 'Secure KVM' could be used as a
> guinea pig both for seccomp filters and future QEMU work.

Sure.

Another direction we're looking up is making it harder to exploit a
vulnerability.  PIC/PIE (position independent code/executable) make it
harder to exploit a bug; and selinux controls on exec(), mprotect(), and
mmap(PROT_EXEC) make it impossible to inject code (you can still use
code in the hypervisor or its libraries).  So we still have
vulnerabilities, but they're all denial of service rather than privilege
escalation.

-- 
error compiling committee.c: too many arguments to function

next prev parent reply	other threads:[~2011-11-07 10:28 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-06 20:40 Secure KVM Sasha Levin
2011-11-07  0:07 ` Rusty Russell
2011-11-07  6:29   ` Sasha Levin
2011-11-07  6:37     ` Pekka Enberg
2011-11-07  6:46       ` Sasha Levin
2011-11-07  7:03         ` Pekka Enberg
2011-11-07 22:49     ` Rusty Russell
2011-11-07  9:26 ` Avi Kivity
2011-11-07 10:17   ` Sasha Levin
2011-11-07 10:27     ` Avi Kivity [this message]
2011-11-07 11:27     ` Stefan Hajnoczi
2011-11-07 12:40       ` Sasha Levin
2011-11-07 12:51         ` Avi Kivity
2011-11-07 14:56           ` Stefan Hajnoczi
2011-11-07 17:43       ` Anthony Liguori
2011-11-07 18:41         ` Avi Kivity
2011-11-07 17:39   ` Anthony Liguori
2011-11-07 18:43     ` Avi Kivity
2011-11-07 19:07       ` Anthony Liguori
2011-11-07 19:54         ` Avi Kivity
2011-11-07 22:56   ` Rusty Russell
2011-11-07 17:37 ` Anthony Liguori
2011-11-07 17:52   ` Sasha Levin
2011-11-07 18:03     ` [Qemu-devel] " Anthony Liguori
2011-11-07 23:06       ` Rusty Russell
2011-11-08 19:51       ` Will Drewry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EB7B2A9.5020608@redhat.com \
    --to=avi@redhat.com \
    --cc=aarcange@redhat.com \
    --cc=anthony@codemonkey.ws \
    --cc=asias.hejun@gmail.com \
    --cc=gorcunov@gmail.com \
    --cc=kvm@vger.kernel.org \
    --cc=levinsasha928@gmail.com \
    --cc=mingo@elte.hu \
    --cc=mst@redhat.com \
    --cc=mtosatti@redhat.com \
    --cc=penberg@kernel.org \
    --cc=rusty@rustcorp.com.au \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox