Re: About Xen: maybe a reiterative question but ..

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
From: Adam Getchell
Date: Thursday, October 25, 2007 - 7:30 am

On 10/24/07, Damien Miller <djm@mindrot.org> wrote:


Restating my earlier post again, in regards to Xen:

1. Ormandy states that Xen's design is congruent with good security

2. Ormandy doesn't actually demonstrate a DomU -> Dom0 escalation, and
in fact, didn't test any HVMs at all.

3. Ormandy hypothesizes that based on Qemu flaws, there may be lurking
issues. However, Qemu compromises != Xen HVM Qemu compromises

Furthermore:

1. Upstream patches already exist [1] in response to Ormandy's bug report [2]

On 10/24/07, Brian <brian@planetunix.net> wrote:


The standard of security is 100% bug free code? If so, then OpenBSD is
certainly insecure, because the two remote root exploits demonstrated
in the last 10 years shows that OpenBSD is not 100% bug free. Also, a
flaw (along with demonstrated code) was pointed out earlier in this
thread by Christopher Eggart.


Usually, when someone makes a claim that OpenBSD is insecure because
of some hypothetical vulnerability, the response is (rightly)
"Demonstrate an exploit. You'll be famous."

Can someone demonstrate a DomU->Dom0 exploit in the current, patched
version of Xen?

On 10/24/07, Jason Dixon <jason@dixongroup.net> wrote:


From my earlier post, did you look at:

http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf

In particular, how does defending against certain classes of rootkits
and having known, good checksums for known, good binaries not increase
the security of the system?

Lets say DomU is OpenBSD (which HVM virtualizes fine, BTW). The few
rootkits (that could be installed by local, malicious users) for
OpenBSD can be detected using CDR, which wouldn't be the case
otherwise.

On 10/24/07, Theo de Raadt <deraadt@cvs.openbsd.org> wrote:


That I agree with.

But Xen is free ....

Adam

[1] https://launchpad.net/ubuntu/+source/xen-3.1/

[2] http://secunia.com/advisories/26986/
-- 
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 1:18 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 6:31 am)
Re: About Xen: maybe a reiterative question but .., Paul de Weerd, (Wed Oct 24, 7:50 am)
Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 8:12 am)
Re: About Xen: maybe a reiterative question but .., Dave Anderson, (Wed Oct 24, 8:45 am)
Re: About Xen: maybe a reiterative question but .., Adam Getchell, (Wed Oct 24, 9:46 am)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 9:59 am)
Re: About Xen: maybe a reiterative question but .. , Jack J. Woehr, (Wed Oct 24, 10:14 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 10:16 am)
Re: About Xen: maybe a reiterative question but .., Marc Espie, (Wed Oct 24, 10:44 am)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 10:45 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 10:48 am)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 11:03 am)
Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 11:41 am)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 11:57 am)
Re: About Xen: maybe a reiterative question but .., Paul de Weerd, (Wed Oct 24, 12:22 pm)
Re: About Xen: maybe a reiterative question but .., Darren Spruell, (Wed Oct 24, 12:27 pm)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 12:46 pm)
Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 1:16 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 1:31 pm)
Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Wed Oct 24, 1:37 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 1:48 pm)
Re: About Xen: maybe a reiterative question but .., Kevin Stam, (Wed Oct 24, 2:04 pm)
Re: About Xen: maybe a reiterative question but .., Daniel Ouellet, (Wed Oct 24, 2:19 pm)
Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 2:26 pm)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 2:31 pm)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 2:41 pm)
Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 2:59 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 3:00 pm)
Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 3:14 pm)
Re: About Xen: maybe a reiterative question but .. , Tony Abernethy, (Wed Oct 24, 3:27 pm)
Re: About Xen: maybe a reiterative question but .., Matthew Weigel, (Wed Oct 24, 3:35 pm)
Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 3:44 pm)
Re: About Xen: maybe a reiterative question but .. , Jack J. Woehr, (Wed Oct 24, 3:52 pm)
Re: About Xen: maybe a reiterative question but .. , Jeremy Huiskamp, (Wed Oct 24, 4:52 pm)
Re: About Xen: maybe a reiterative question but .., Darrin Chandler, (Wed Oct 24, 5:43 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 6:14 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 6:20 pm)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 6:27 pm)
Re: About Xen: maybe a reiterative question but .., Darren Spruell, (Wed Oct 24, 6:46 pm)
Re: About Xen: maybe a reiterative question but .., Steve Shockley, (Wed Oct 24, 6:53 pm)
Re: About Xen: maybe a reiterative question but .., Darrin Chandler, (Wed Oct 24, 6:54 pm)
Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Wed Oct 24, 6:57 pm)
Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 7:01 pm)
Re: About Xen: maybe a reiterative question but .., Damien Miller, (Wed Oct 24, 7:01 pm)
Re: About Xen: maybe a reiterative question but .., Damien Miller, (Wed Oct 24, 7:05 pm)
Re: About Xen: maybe a reiterative question but .., Tony Abernethy, (Wed Oct 24, 8:07 pm)
Re: About Xen: maybe a reiterative question but .., Karsten McMinn, (Wed Oct 24, 9:15 pm)
Re: About Xen: maybe a reiterative question but .., Lars Hansson, (Wed Oct 24, 9:50 pm)
Re: About Xen: maybe a reiterative question but .., Lars Noodén, (Wed Oct 24, 11:14 pm)
Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 12:28 am)
Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 12:37 am)
Re: About Xen: maybe a reiterative question but .., Lars Noodén, (Thu Oct 25, 1:00 am)
Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 1:06 am)
Hardware support for secure virtualization (was: About Xen ..., Rodrigo V. Raimundo, (Thu Oct 25, 3:50 am)
Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Thu Oct 25, 6:04 am)
Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Thu Oct 25, 6:16 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 7:06 am)
Re: About Xen: maybe a reiterative question but .., Adam Getchell, (Thu Oct 25, 7:30 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 8:02 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 9:09 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 9:11 am)
Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Thu Oct 25, 9:23 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 9:26 am)
Re: About Xen: maybe a reiterative question but .., Tom Van Looy, (Thu Oct 25, 9:54 am)
Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 10:43 am)
Re: About Xen: maybe a reiterative question but .., richardtoohey, (Thu Oct 25, 11:36 am)
Re: About Xen: maybe a reiterative question but .., Subcommander l0r3zz, (Thu Oct 25, 1:36 pm)
Re: About Xen: maybe a reiterative question but .., Matt Rowley, (Fri Oct 26, 5:34 am)
Re: About Xen: maybe a reiterative question but .., Subcommander l0r3zz, (Fri Oct 26, 10:23 am)
Re: About Xen: maybe a reiterative question but .., Shawn K. Quinn, (Sun Oct 28, 11:29 am)
Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Sun Oct 28, 3:18 pm)
Re: About Xen: maybe a reiterative question but .., Nick Holland, (Sun Oct 28, 7:31 pm)
Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Mon Oct 29, 5:43 am)
Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Mon Oct 29, 1:26 pm)