Re: [Qemu-devel] A question about postcopy safety

["Dr. David Alan Gilbert" <dgilbert@redhat.com>]

* liutgnu@yahoo.com (liutgnu@yahoo.com) wrote:
> Hi David,

Hi Liutao,

> I'm studying the process of postcopy migration, and I found that the memory pages migrated from source to destination are not encrypted. Does this make the VM vulnerable if it's memory has been tampered with during postcopy migration?
> 
> I think precopy has less risk because the source's memory is always altering. If one page is tampered with during network transfer, with source still running, then a later version of that page may keep updating. So it would be quite difficult to track all different page versions, and tamper with the final version of one page.
> 
> But when it comes to postcopy, the situation is riskier because one specific page is only transferred once. It's easy to capture all transferring memory pages, tamper and resend.

I don't think there's much difference between precopy and postcopy for security;
the only secure way to do migration is over an encrypted transport and that solves
it for both precopy and postcopy.

I don't think it would be that hard for a malicious person to track the pages in precopy;
and indeed what they could do is wait until an interesting page comes along
(say one with a hash or the data they're interested in) and then insert a new version
of that page later with their own nasty version on - postcopy wouldn't allow
that second version.

The challenge is to get a nice fast high speed encryption layer, and for post-copy
it should have low added latency.

> 
> When the memory been tampered with, the safety of the VM will be compromised.
> 
> Any ideas? thank you!Liutao

Dave

--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK