From: Stefan Hajnoczi <stefanha@gmail.com>
To: Peng Tao <bergwolf@gmail.com>
Cc: Lai Jiangshan <jiangshanlai@gmail.com>,
Samuel Ortiz <sameo@linux.intel.com>, Xu Wang <gnawux@gmail.com>,
qemu-devel@nongnu.org,
"James O . D . Hunt" <james.o.hunt@intel.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Markus Armbruster <armbru@redhat.com>,
Juan Quintela <quintela@redhat.com>,
Sebastien Boeuf <sebastien.boeuf@intel.com>,
Xiao Guangrong <xiaoguangrong@tencent.com>,
Xiao Guangrong <xiaoguangrong.eric@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Marcelo Tosatti <mtosatti@redhat.com>,
kata-dev@lists.katacontainers.io
Subject: Re: [Qemu-devel] [PATCH] migration: add capability to bypass the shared memory
Date: Wed, 18 Jul 2018 17:03:40 +0100 [thread overview]
Message-ID: <20180718160340.GP21825@stefanha-x1.localdomain> (raw)
In-Reply-To: <CA+a=Yy7rTX3=t1j-77VzSKoknUTu37BPEevY5s6adCc2aEpR6Q@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2256 bytes --]
On Thu, Jul 12, 2018 at 11:02:08PM +0800, Peng Tao wrote:
> On Tue, Jul 10, 2018 at 9:40 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > Two things come to mind:
> >
> > At that point both guest kernel and agent address-space layout
> > randomization (ASLR) is finished. ALSR makes it harder for memory
> > corruption bugs to lead to real exploits because the attacker does not
> > know the full memory layout of the process. Cloned VMs will not benefit
> > from ASLR because much of the memory layout of the guest kernel and
> > agent will be identical across all clones.
> >
> Yes, indeed. I am not arguing that ASLR is retained with VM
> templating. Just that ASLR is also compromised if one wants to use KSM
> to save memory by sharing among different guests. Kata is already
> shipping with KSM components and we are adding VM templating as a
> better alternative.
Hang on, ASLR is *not* compromised by KSM. The address space layout is
still unique for each guest, even if KSM deduplicates physical pages on
the host. Remember ASLR is about virtual addresses while KSM is about
sharing the physical pages. Therefore KSM does not affect ASLR.
The KSM issue you referred to earlier is a timing side-channel attack.
Being vulnerable to timing side-channel attacks through KSM does not
reduce the effectiveness of ASLR.
> > Software random number generators have probably been initialized at this
> > point. This doesn't mean that all cloned VMs will produce the same
> > sequence of random numbers since they should incorporate entropy sources
> > or use hardware random number generators, but the quality of random
> > numbers might be reduced. Someone who knows random number generators
> > should take a look at this.
> >
> As Andrea pointed out earlier in his comments, we can configure the
> random number generator to printk a warning if it's being used at boot
> before it had its "shutdown" state restored. Then we can add a new
> kata-agent request set the entropy and check for such warning after a
> new VM is cloned and before it is given to the user. This way, we are
> guaranteed that random numbers generated by each guest is created with
> a different seed. Do you have other concern with this method?
Sounds good.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2018-07-18 16:03 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-31 8:45 [Qemu-devel] [PATCH] migration: add capability to bypass the shared memory Lai Jiangshan
2018-03-31 10:17 ` Lai Jiangshan
2018-03-31 12:35 ` Eric Blake
2018-04-01 8:48 ` [Qemu-devel] [PATCH V3] " Lai Jiangshan
2018-04-01 8:53 ` no-reply
2018-04-01 8:56 ` no-reply
2018-04-04 11:47 ` [Qemu-devel] [PATCH V4] " Lai Jiangshan
2018-04-04 12:15 ` Xiao Guangrong
2018-04-09 17:30 ` Dr. David Alan Gilbert
2018-04-12 2:34 ` Lai Jiangshan
2018-04-16 15:00 ` [Qemu-devel] [PATCH V5] " Lai Jiangshan
2018-04-19 16:38 ` Dr. David Alan Gilbert
2018-04-25 10:12 ` Lai Jiangshan
2018-04-26 19:05 ` Dr. David Alan Gilbert
2018-04-27 7:47 ` Cédric Le Goater
2018-06-28 0:42 ` Liang Li
2018-04-16 22:54 ` [Qemu-devel] [PATCH V4] " Lai Jiangshan
2018-04-19 15:54 ` Dr. David Alan Gilbert
2018-07-02 13:10 ` [Qemu-devel] [PATCH] " Stefan Hajnoczi
2018-07-02 13:52 ` Peng Tao
2018-07-02 22:15 ` Andrea Arcangeli
2018-07-03 4:09 ` Peng Tao
2018-07-03 10:05 ` Stefan Hajnoczi
2018-07-03 15:10 ` Peng Tao
2018-07-10 13:40 ` Stefan Hajnoczi
2018-07-12 15:02 ` Peng Tao
2018-07-18 16:03 ` Stefan Hajnoczi [this message]
2018-07-02 22:01 ` Andrea Arcangeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180718160340.GP21825@stefanha-x1.localdomain \
--to=stefanha@gmail.com \
--cc=aarcange@redhat.com \
--cc=armbru@redhat.com \
--cc=bergwolf@gmail.com \
--cc=dgilbert@redhat.com \
--cc=gnawux@gmail.com \
--cc=james.o.hunt@intel.com \
--cc=jiangshanlai@gmail.com \
--cc=kata-dev@lists.katacontainers.io \
--cc=mtosatti@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=sameo@linux.intel.com \
--cc=sebastien.boeuf@intel.com \
--cc=xiaoguangrong.eric@gmail.com \
--cc=xiaoguangrong@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).