From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60029) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bguK1-0003BW-24 for qemu-devel@nongnu.org; Mon, 05 Sep 2016 09:52:30 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bguJv-0002mC-49 for qemu-devel@nongnu.org; Mon, 05 Sep 2016 09:52:24 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41486) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bguJu-0002m1-Ua for qemu-devel@nongnu.org; Mon, 05 Sep 2016 09:52:19 -0400 Date: Mon, 5 Sep 2016 14:52:14 +0100 From: "Dr. David Alan Gilbert" Message-ID: <20160905135214.GA22496@work-vm> References: <110743700.1285610.1472475080274.ref@mail.yahoo.com> <110743700.1285610.1472475080274@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <110743700.1285610.1472475080274@mail.yahoo.com> Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] A question about postcopy safety List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: liutgnu@yahoo.com Cc: qemu-devel@nongnu.org * liutgnu@yahoo.com (liutgnu@yahoo.com) wrote: > Hi=A0David, Hi Liutao, > I'm studying the process of postcopy migration, and I found that the me= mory pages migrated from source to destination are not encrypted. Does th= is make the VM vulnerable if it's memory has been tampered with during po= stcopy migration? >=20 > I think precopy has less risk because the source's memory is always alt= ering. If one page is tampered with during network transfer, with source = still running, then a later version of that page may keep updating. So it= would be quite difficult to track all different page versions, and tampe= r with the final version of one page. >=20 > But when it comes to postcopy, the situation is riskier because one spe= cific page is only transferred once. It's easy to capture all transferrin= g memory pages, tamper and resend. I don't think there's much difference between precopy and postcopy for se= curity; the only secure way to do migration is over an encrypted transport and th= at solves it for both precopy and postcopy. I don't think it would be that hard for a malicious person to track the p= ages in precopy; and indeed what they could do is wait until an interesting page comes alo= ng (say one with a hash or the data they're interested in) and then insert a= new version of that page later with their own nasty version on - postcopy wouldn't al= low that second version. The challenge is to get a nice fast high speed encryption layer, and for = post-copy it should have low added latency. >=20 > When the memory been tampered with, the safety of the VM will be compro= mised. >=20 > Any ideas? thank you!Liutao Dave -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK