From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Subject: Re: Security discussion: Summary of proposals and
 criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Date: Mon, 09 Jul 2012 16:08:04 +0200
Message-ID: <4FFAE5C4.8010600@invisiblethingslab.com>
References: <CAFLBxZZKoVfyKuN7_kW_+mJ69PmXwUvukXBK3rpD+we8c-wvXA@mail.gmail.com>
	<4FF93711.6020108@invisiblethingslab.com>
	<CAFLBxZYW0xbOnD-Giah8TLsKBfLWJDHQuAA54wwmrXztteRt3Q@mail.gmail.com>
	<4FFAC0FF.6040206@invisiblethingslab.com>
	<20120709135101.GA83420@ocelot.phlegethon.org>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1937959095348346109=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20120709135101.GA83420@ocelot.phlegethon.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Tim Deegan <tim@xen.org>
Cc: Jan Beulich <JBeulich@suse.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, George Dunlap <George.Dunlap@eu.citrix.com>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, Lars Kurth <lars.kurth@xen.org>, Matt Wilson <msw@amazon.com>
List-Id: xen-devel@lists.xenproject.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============1937959095348346109==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig53B673D298AF3EE46722CC80"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig53B673D298AF3EE46722CC80
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 07/09/12 15:51, Tim Deegan wrote:
> At 13:31 +0200 on 09 Jul (1341840671), Joanna Rutkowska wrote:
>> > If you're into security industry (going to conferences, etc) you
>> > certainly know the right people who would be delight to buy exploits=

>> > from you, believe me ;) Probably most Xen developers don't fit into =
this
>> > crowd, true, but then again, do you think it would be so hard for an=

>> > interested organization to approach one of the Xen developers on the=

>> > pre-disclousure list? How many would resist if they had a chance to =
cash
>> > in some 7-figure number for this (I read in the press that hot
>> > bugs/exploits sell for this amount actually)?
> I think the argument is that an exploit that's going to be public (and
> patched) in the next couple of weeks would not fetch the same kind of
> price as a unknown attack that can be kept for later.

Depending on the type of an exploit. For client-side exploits, perhaps
you're right. But for infrastructure attacks it's a different story --
having an exploit such the Rafal's one, I could have *silently* exploit
lots of AWS machines and install backdoors in their hypervisors/dom0.
The fact that they will patch the bug two weeks later might be
irrelevant then.

After all, how are you going to check whether your physical server has
been compromised? Most people don't use any form of trusted boot, but
even if they did, it's not a silver bullet as we have demonstrated a few
times in a row. And if you don't have trusted boot, as most people, you
have very little chances to detect a custom-made backdoor. Even if you
are allowed to reboot the machine and boot "good known binaries", which
often you cannot do, are you going to manually audit all the firmware,
ACPI tables, etc? Not to mention about the integrity of the actual VMs,
that might have also got compromised (and checking for integrity of a
running OS, such as Linux or Windows, is just undoable).

Having that said, 2 weeks might be a bit short to prepare such an
advanced attack. In this respect, it would be probably beneficial to
keep the embargo period as short as possible (that still allows
important players to patch before others). 1 week perhaps?

joanna.


--------------enig53B673D298AF3EE46722CC80
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJP+uXEAAoJEDaIqHeRBUM0aNMIAMJtM5lcrYwj6Pf5SsfGW4PC
a8vuS20J4oIiLVC9pnhJikPPabdvyg7hdDYeekSnZrynZstg/dD8O9OyRQm9sH2l
9yDHjBHk38NDK84uFL7AnadWydfgSnAyM/YGmPfw9k51LATCMP7pf5d9/58jCeEJ
rtratQu4T0OY6VYQn5GAB3Dq6TM1Rmw05yAWD5iTeUQPKUrj6/vi9lCET/xYrCZj
eERA76iZkHEUldiv4jfqUDigCNrP67VpIK5R6SljLTAa1mBM2WCpY7pKN+4T6D+f
ujV7ENYRPugFjDoWzFV2FonH4iDhd6crzQ8WcM/dedtWdjGFVuqX0Wngvh4JsLA=
=ehIJ
-----END PGP SIGNATURE-----

--------------enig53B673D298AF3EE46722CC80--


--===============1937959095348346109==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============1937959095348346109==--