From: Tim Deegan <tim@xen.org>
To: Joanna Rutkowska <joanna@invisiblethingslab.com>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>, xen-devel@lists.xensource.com
Subject: Re: [RFC PATCH 0/18] Xenstore stub domain
Date: Thu, 12 Jan 2012 10:48:02 +0000 [thread overview]
Message-ID: <20120112104802.GA47092@ocelot.phlegethon.org> (raw)
In-Reply-To: <4F0EB6ED.3030900@invisiblethingslab.com>
At 11:33 +0100 on 12 Jan (1326367997), Joanna Rutkowska wrote:
> Daniel,
>
> Can you explain what is the rationale for moving the xenstored into a
> stubdom? After all, if an attacker is able to compromise the xenstored,
> there should be many ways now how to compromise other VMs in the system?
> And it shouldn't matter whether the xenstored is in stubdom or whether
> in Dom0. E.g. the attacker might redirect the block fronts to us some
> false block backends, so that the VMs get compromised fs. One could
> probably think of other attacks as well...?
I think the point is to protect xenstore from dom0, not dom0 from
xenstore. With stub-xenstore and driver domains, only the domain
builder and PCIback need to have any privilege, and they can be moved
out of dom0 too (e.g., http://dl.acm.org/citation.cfm?id=1346278 ,
http://tjd.phlegethon.org/words/sosp11-xoar.html)
Tim.
next prev parent reply other threads:[~2012-01-12 10:48 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-11 17:21 [RFC PATCH 0/18] Xenstore stub domain Daniel De Graaf
2012-01-11 17:21 ` [PATCH 01/18] xen: reinstate previously unused XENMEM_remove_from_physmap hypercall Daniel De Graaf
2012-01-12 8:22 ` Jan Beulich
2012-01-11 17:21 ` [PATCH 02/18] xen: allow global VIRQ handlers to be delegated to other domains Daniel De Graaf
2012-01-12 8:43 ` Jan Beulich
2012-01-11 17:21 ` [PATCH 03/18] xsm: allow use of XEN_DOMCTL_getdomaininfo by non-IS_PRIV domains Daniel De Graaf
2012-01-11 17:27 ` Keir Fraser
2012-01-11 17:36 ` Daniel De Graaf
2012-01-11 17:49 ` Keir Fraser
2012-01-11 17:21 ` [PATCH 04/18] xen: Preserve reserved grant entries when switching versions Daniel De Graaf
2012-01-12 8:53 ` Jan Beulich
2012-01-12 9:49 ` Ian Campbell
2012-01-12 9:56 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 05/18] tools/libxl: Add xenstore and console backend domain IDs to config Daniel De Graaf
2012-01-11 17:21 ` [PATCH 06/18] lib{xc, xl}: Seed grant tables with xenstore and console grants Daniel De Graaf
2012-01-12 9:59 ` Ian Campbell
2012-01-12 15:11 ` Daniel De Graaf
2012-01-12 16:12 ` Ian Campbell
2012-01-12 17:21 ` Ian Jackson
2012-01-12 17:32 ` Daniel De Graaf
2012-01-12 17:35 ` Ian Jackson
2012-01-12 17:38 ` Ian Campbell
2012-01-12 17:47 ` Daniel De Graaf
2012-01-11 17:21 ` [PATCH 07/18] mini-os: avoid crash if no console is provided Daniel De Graaf
2012-01-12 10:03 ` Ian Campbell
2012-01-12 17:56 ` Daniel De Graaf
2012-01-18 10:21 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 08/18] mini-os: avoid crash if no xenstore " Daniel De Graaf
2012-01-11 17:21 ` [PATCH 09/18] mini-os: remove per-fd evtchn limit Daniel De Graaf
2012-01-11 17:21 ` [PATCH 10/18] xenstored: use grant references instead of map_foreign_range Daniel De Graaf
2012-01-11 17:21 ` [PATCH 11/18] xenstored: add NO_SOCKETS compilation option Daniel De Graaf
2012-01-12 10:05 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 12/18] xenstored support for in-memory rather than FS based trivial DB (needed to run on mini-OS) Daniel De Graaf
2012-01-11 17:21 ` [PATCH 13/18] xenstored: support running in minios stubdom Daniel De Graaf
2012-01-11 17:21 ` [PATCH 14/18] xenstored: always use xc_gnttab_munmap in stubdom Daniel De Graaf
2012-01-11 17:21 ` [PATCH 15/18] xenstored: add --event parameter for bootstrapping Daniel De Graaf
2012-01-11 17:21 ` [PATCH 16/18] xenstored: pull dom0 event port from shared page Daniel De Graaf
2012-01-11 17:21 ` [PATCH 17/18] xenstored: use domain_is_unprivileged instead of checking conn->id Daniel De Graaf
2012-01-11 17:21 ` [PATCH 18/18] xenstored: add --priv-domid parameter Daniel De Graaf
2012-01-12 10:20 ` Ian Campbell
2012-01-12 15:37 ` Daniel De Graaf
2012-01-11 17:22 ` [PATCH] xenbus: Add support for xenbus backend in stub domain Daniel De Graaf
2012-01-12 8:59 ` Jan Beulich
2012-01-12 15:28 ` Daniel De Graaf
2012-01-12 15:40 ` Jan Beulich
2012-01-12 15:58 ` Daniel De Graaf
2012-01-12 9:51 ` [RFC PATCH 0/18] Xenstore " Ian Campbell
2012-01-12 9:57 ` Ian Campbell
2012-01-12 23:32 ` Daniel De Graaf
2012-01-12 10:33 ` Joanna Rutkowska
2012-01-12 10:48 ` Tim Deegan [this message]
2012-01-12 11:18 ` On Dom0 disaggregation (was: Re: [RFC PATCH 0/18] Xenstore stub domain) Joanna Rutkowska
2012-01-12 12:13 ` Tim Deegan
2012-01-12 13:30 ` On Dom0 disaggregation Joanna Rutkowska
2012-01-12 14:21 ` Tim Deegan
2012-01-12 14:23 ` Mihir Nanavati
2012-01-12 11:27 ` [RFC PATCH 0/18] Xenstore stub domain Ian Campbell
2012-01-12 11:33 ` Vasiliy Tolstov
2012-01-12 11:46 ` Ian Campbell
2012-01-12 11:35 ` Joanna Rutkowska
2012-01-12 11:46 ` Ian Campbell
2012-01-12 11:00 ` Keir Fraser
2012-01-12 16:12 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH v2 00/18] " Daniel De Graaf
2012-01-12 23:35 ` [PATCH 01/18] xen: reinstate previously unused XENMEM_remove_from_physmap hypercall Daniel De Graaf
2012-01-13 7:56 ` Jan Beulich
2012-01-18 10:36 ` Ian Campbell
2012-01-18 14:56 ` Daniel De Graaf
2012-01-18 16:06 ` Ian Campbell
2012-01-18 19:07 ` Daniel De Graaf
2012-01-19 10:32 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 02/18] xen: allow global VIRQ handlers to be delegated to other domains Daniel De Graaf
2012-01-13 8:03 ` Jan Beulich
2012-01-13 13:58 ` Daniel De Graaf
2012-01-13 15:32 ` Jan Beulich
2012-01-18 10:39 ` Ian Campbell
2012-01-18 11:28 ` Jan Beulich
2012-01-18 11:44 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 03/18] xen: use XSM instead of IS_PRIV for getdomaininfo Daniel De Graaf
2012-01-12 23:35 ` [PATCH 04/18] xen: Preserve reserved grant entries when switching versions Daniel De Graaf
2012-01-13 8:07 ` Jan Beulich
2012-01-18 10:43 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 05/18] tools/libxl: pull xenstore/console domids from xenstore Daniel De Graaf
2012-01-18 10:47 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 06/18] lib{xc, xl}: Seed grant tables with xenstore and console grants Daniel De Graaf
2012-01-18 11:05 ` Ian Campbell
2012-01-20 20:24 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 07/18] mini-os: avoid crash if no console is provided Daniel De Graaf
2012-01-18 11:06 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 08/18] mini-os: avoid crash if no xenstore " Daniel De Graaf
2012-01-18 11:08 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 09/18] mini-os: remove per-fd evtchn limit Daniel De Graaf
2012-01-18 11:10 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 10/18] xenstored: use grant references instead of map_foreign_range Daniel De Graaf
2012-01-18 11:15 ` Ian Campbell
2012-01-18 18:18 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 11/18] xenstored: add NO_SOCKETS compilation option Daniel De Graaf
2012-01-18 11:23 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 12/18] xenstored support for in-memory rather than FS based trivial DB (needed to run on mini-OS) Daniel De Graaf
2012-01-18 11:27 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 13/18] xenstored: support running in minios stubdom Daniel De Graaf
2012-01-18 11:33 ` Ian Campbell
2012-01-18 17:13 ` Ian Jackson
2012-01-18 17:35 ` Ian Campbell
2012-01-24 16:24 ` Ian Jackson
2012-01-12 23:35 ` [PATCH 14/18] xenstored: always use xc_gnttab_munmap in stubdom Daniel De Graaf
2012-01-12 23:35 ` [PATCH 15/18] xenstored: add --event parameter for bootstrapping Daniel De Graaf
2012-01-18 11:35 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 16/18] xenstored: use domain_is_unprivileged instead of checking conn->id Daniel De Graaf
2012-01-18 11:44 ` Ian Campbell
2012-01-18 18:31 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 17/18] xenstored: add --priv-domid parameter Daniel De Graaf
2012-01-18 11:48 ` Ian Campbell
2012-01-18 14:41 ` Daniel De Graaf
2012-01-18 14:47 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 18/18] xenstored: Add stub domain builder Daniel De Graaf
2012-01-18 11:50 ` Ian Campbell
2012-01-12 23:36 ` [PATCH] xenbus: Add support for xenbus backend in stub domain Daniel De Graaf
2012-01-13 8:20 ` Jan Beulich
2012-01-13 14:06 ` Daniel De Graaf
2012-01-13 15:37 ` Jan Beulich
2012-01-13 15:44 ` Daniel De Graaf
2012-01-13 16:00 ` Jan Beulich
2012-01-13 17:42 ` Daniel De Graaf
2012-01-16 8:19 ` Jan Beulich
2012-01-18 12:07 ` Ian Campbell
2012-01-18 14:44 ` Daniel De Graaf
2012-01-18 10:23 ` [PATCH v2 00/18] Xenstore " Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120112104802.GA47092@ocelot.phlegethon.org \
--to=tim@xen.org \
--cc=dgdegra@tycho.nsa.gov \
--cc=joanna@invisiblethingslab.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).