From: Joanna Rutkowska <joanna@invisiblethingslab.com>
To: Tim Deegan <tim@xen.org>
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>, xen-devel@lists.xensource.com
Subject: On Dom0 disaggregation (was: Re: [RFC PATCH 0/18] Xenstore stub domain)
Date: Thu, 12 Jan 2012 12:18:48 +0100 [thread overview]
Message-ID: <4F0EC198.9050406@invisiblethingslab.com> (raw)
In-Reply-To: <20120112104802.GA47092@ocelot.phlegethon.org>
[-- Attachment #1.1: Type: text/plain, Size: 2123 bytes --]
On 01/12/12 11:48, Tim Deegan wrote:
> At 11:33 +0100 on 12 Jan (1326367997), Joanna Rutkowska wrote:
>> Daniel,
>>
>> Can you explain what is the rationale for moving the xenstored into a
>> stubdom? After all, if an attacker is able to compromise the xenstored,
>> there should be many ways now how to compromise other VMs in the system?
>> And it shouldn't matter whether the xenstored is in stubdom or whether
>> in Dom0. E.g. the attacker might redirect the block fronts to us some
>> false block backends, so that the VMs get compromised fs. One could
>> probably think of other attacks as well...?
>
> I think the point is to protect xenstore from dom0, not dom0 from
> xenstore. With stub-xenstore and driver domains, only the domain
> builder and PCIback need to have any privilege, and they can be moved
> out of dom0 too (e.g., http://dl.acm.org/citation.cfm?id=1346278 ,
> http://tjd.phlegethon.org/words/sosp11-xoar.html)
>
In order for this to make sense from security point of view, you would
need to deprivilige Dom0. When considering this task, one should answer
the following questions:
1) Who manages the chipset (MCH)?
2) Who manages the input (keyboard, mouse)
3) Who manages the output (GPU, specifically critical on client systems)
From the security point of view there is no point of isolating the
entities that manage the above between each other, because a compromise
of any of those entities leads to full system compromise (again, #3
applies to client systems).
Now, as you pointed out, we shall probably add another bullet to the
list, which is:
4) the xenstored
(although I'm not 100% if we couldn't somehow deprivilige xenstored).
So, we end up with a conclusion that there is no point separating those
4 functionalists between each other, and so it only make sense to host
them in the same domain. How about we call this domain "Dom0", then? ;)
(Sure, this "new Dom0" doesn't include net, USB, and perhaps even SATA
drivers, but we already have been doing this on Qubes, except for moving
out SATA/blkbackend from Dom0).
joanna.
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
[-- Attachment #2: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next prev parent reply other threads:[~2012-01-12 11:18 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-11 17:21 [RFC PATCH 0/18] Xenstore stub domain Daniel De Graaf
2012-01-11 17:21 ` [PATCH 01/18] xen: reinstate previously unused XENMEM_remove_from_physmap hypercall Daniel De Graaf
2012-01-12 8:22 ` Jan Beulich
2012-01-11 17:21 ` [PATCH 02/18] xen: allow global VIRQ handlers to be delegated to other domains Daniel De Graaf
2012-01-12 8:43 ` Jan Beulich
2012-01-11 17:21 ` [PATCH 03/18] xsm: allow use of XEN_DOMCTL_getdomaininfo by non-IS_PRIV domains Daniel De Graaf
2012-01-11 17:27 ` Keir Fraser
2012-01-11 17:36 ` Daniel De Graaf
2012-01-11 17:49 ` Keir Fraser
2012-01-11 17:21 ` [PATCH 04/18] xen: Preserve reserved grant entries when switching versions Daniel De Graaf
2012-01-12 8:53 ` Jan Beulich
2012-01-12 9:49 ` Ian Campbell
2012-01-12 9:56 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 05/18] tools/libxl: Add xenstore and console backend domain IDs to config Daniel De Graaf
2012-01-11 17:21 ` [PATCH 06/18] lib{xc, xl}: Seed grant tables with xenstore and console grants Daniel De Graaf
2012-01-12 9:59 ` Ian Campbell
2012-01-12 15:11 ` Daniel De Graaf
2012-01-12 16:12 ` Ian Campbell
2012-01-12 17:21 ` Ian Jackson
2012-01-12 17:32 ` Daniel De Graaf
2012-01-12 17:35 ` Ian Jackson
2012-01-12 17:38 ` Ian Campbell
2012-01-12 17:47 ` Daniel De Graaf
2012-01-11 17:21 ` [PATCH 07/18] mini-os: avoid crash if no console is provided Daniel De Graaf
2012-01-12 10:03 ` Ian Campbell
2012-01-12 17:56 ` Daniel De Graaf
2012-01-18 10:21 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 08/18] mini-os: avoid crash if no xenstore " Daniel De Graaf
2012-01-11 17:21 ` [PATCH 09/18] mini-os: remove per-fd evtchn limit Daniel De Graaf
2012-01-11 17:21 ` [PATCH 10/18] xenstored: use grant references instead of map_foreign_range Daniel De Graaf
2012-01-11 17:21 ` [PATCH 11/18] xenstored: add NO_SOCKETS compilation option Daniel De Graaf
2012-01-12 10:05 ` Ian Campbell
2012-01-11 17:21 ` [PATCH 12/18] xenstored support for in-memory rather than FS based trivial DB (needed to run on mini-OS) Daniel De Graaf
2012-01-11 17:21 ` [PATCH 13/18] xenstored: support running in minios stubdom Daniel De Graaf
2012-01-11 17:21 ` [PATCH 14/18] xenstored: always use xc_gnttab_munmap in stubdom Daniel De Graaf
2012-01-11 17:21 ` [PATCH 15/18] xenstored: add --event parameter for bootstrapping Daniel De Graaf
2012-01-11 17:21 ` [PATCH 16/18] xenstored: pull dom0 event port from shared page Daniel De Graaf
2012-01-11 17:21 ` [PATCH 17/18] xenstored: use domain_is_unprivileged instead of checking conn->id Daniel De Graaf
2012-01-11 17:21 ` [PATCH 18/18] xenstored: add --priv-domid parameter Daniel De Graaf
2012-01-12 10:20 ` Ian Campbell
2012-01-12 15:37 ` Daniel De Graaf
2012-01-11 17:22 ` [PATCH] xenbus: Add support for xenbus backend in stub domain Daniel De Graaf
2012-01-12 8:59 ` Jan Beulich
2012-01-12 15:28 ` Daniel De Graaf
2012-01-12 15:40 ` Jan Beulich
2012-01-12 15:58 ` Daniel De Graaf
2012-01-12 9:51 ` [RFC PATCH 0/18] Xenstore " Ian Campbell
2012-01-12 9:57 ` Ian Campbell
2012-01-12 23:32 ` Daniel De Graaf
2012-01-12 10:33 ` Joanna Rutkowska
2012-01-12 10:48 ` Tim Deegan
2012-01-12 11:18 ` Joanna Rutkowska [this message]
2012-01-12 12:13 ` On Dom0 disaggregation (was: Re: [RFC PATCH 0/18] Xenstore stub domain) Tim Deegan
2012-01-12 13:30 ` On Dom0 disaggregation Joanna Rutkowska
2012-01-12 14:21 ` Tim Deegan
2012-01-12 14:23 ` Mihir Nanavati
2012-01-12 11:27 ` [RFC PATCH 0/18] Xenstore stub domain Ian Campbell
2012-01-12 11:33 ` Vasiliy Tolstov
2012-01-12 11:46 ` Ian Campbell
2012-01-12 11:35 ` Joanna Rutkowska
2012-01-12 11:46 ` Ian Campbell
2012-01-12 11:00 ` Keir Fraser
2012-01-12 16:12 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH v2 00/18] " Daniel De Graaf
2012-01-12 23:35 ` [PATCH 01/18] xen: reinstate previously unused XENMEM_remove_from_physmap hypercall Daniel De Graaf
2012-01-13 7:56 ` Jan Beulich
2012-01-18 10:36 ` Ian Campbell
2012-01-18 14:56 ` Daniel De Graaf
2012-01-18 16:06 ` Ian Campbell
2012-01-18 19:07 ` Daniel De Graaf
2012-01-19 10:32 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 02/18] xen: allow global VIRQ handlers to be delegated to other domains Daniel De Graaf
2012-01-13 8:03 ` Jan Beulich
2012-01-13 13:58 ` Daniel De Graaf
2012-01-13 15:32 ` Jan Beulich
2012-01-18 10:39 ` Ian Campbell
2012-01-18 11:28 ` Jan Beulich
2012-01-18 11:44 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 03/18] xen: use XSM instead of IS_PRIV for getdomaininfo Daniel De Graaf
2012-01-12 23:35 ` [PATCH 04/18] xen: Preserve reserved grant entries when switching versions Daniel De Graaf
2012-01-13 8:07 ` Jan Beulich
2012-01-18 10:43 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 05/18] tools/libxl: pull xenstore/console domids from xenstore Daniel De Graaf
2012-01-18 10:47 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 06/18] lib{xc, xl}: Seed grant tables with xenstore and console grants Daniel De Graaf
2012-01-18 11:05 ` Ian Campbell
2012-01-20 20:24 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 07/18] mini-os: avoid crash if no console is provided Daniel De Graaf
2012-01-18 11:06 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 08/18] mini-os: avoid crash if no xenstore " Daniel De Graaf
2012-01-18 11:08 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 09/18] mini-os: remove per-fd evtchn limit Daniel De Graaf
2012-01-18 11:10 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 10/18] xenstored: use grant references instead of map_foreign_range Daniel De Graaf
2012-01-18 11:15 ` Ian Campbell
2012-01-18 18:18 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 11/18] xenstored: add NO_SOCKETS compilation option Daniel De Graaf
2012-01-18 11:23 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 12/18] xenstored support for in-memory rather than FS based trivial DB (needed to run on mini-OS) Daniel De Graaf
2012-01-18 11:27 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 13/18] xenstored: support running in minios stubdom Daniel De Graaf
2012-01-18 11:33 ` Ian Campbell
2012-01-18 17:13 ` Ian Jackson
2012-01-18 17:35 ` Ian Campbell
2012-01-24 16:24 ` Ian Jackson
2012-01-12 23:35 ` [PATCH 14/18] xenstored: always use xc_gnttab_munmap in stubdom Daniel De Graaf
2012-01-12 23:35 ` [PATCH 15/18] xenstored: add --event parameter for bootstrapping Daniel De Graaf
2012-01-18 11:35 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 16/18] xenstored: use domain_is_unprivileged instead of checking conn->id Daniel De Graaf
2012-01-18 11:44 ` Ian Campbell
2012-01-18 18:31 ` Daniel De Graaf
2012-01-12 23:35 ` [PATCH 17/18] xenstored: add --priv-domid parameter Daniel De Graaf
2012-01-18 11:48 ` Ian Campbell
2012-01-18 14:41 ` Daniel De Graaf
2012-01-18 14:47 ` Ian Campbell
2012-01-12 23:35 ` [PATCH 18/18] xenstored: Add stub domain builder Daniel De Graaf
2012-01-18 11:50 ` Ian Campbell
2012-01-12 23:36 ` [PATCH] xenbus: Add support for xenbus backend in stub domain Daniel De Graaf
2012-01-13 8:20 ` Jan Beulich
2012-01-13 14:06 ` Daniel De Graaf
2012-01-13 15:37 ` Jan Beulich
2012-01-13 15:44 ` Daniel De Graaf
2012-01-13 16:00 ` Jan Beulich
2012-01-13 17:42 ` Daniel De Graaf
2012-01-16 8:19 ` Jan Beulich
2012-01-18 12:07 ` Ian Campbell
2012-01-18 14:44 ` Daniel De Graaf
2012-01-18 10:23 ` [PATCH v2 00/18] Xenstore " Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F0EC198.9050406@invisiblethingslab.com \
--to=joanna@invisiblethingslab.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=tim@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).