Women in Technology

Hear us Roar



Weblog:   What is Xen, and Why is it cool?
Subject:   XEN and ia32/x86 Security
Date:   2005-03-25 16:09:31
From:   BillCaelli
A recent article stated as follows;
"If a service is compromised, only that service is compromised."


What proof do we have of this?
Remember x86 architecture involves two vital security structures, i.e. memory segmentation and capability structure (such as stack only, code segment, data segment, adrees extent linitations and enforcement, etc.) and a 4-ring structure based on MULTICS. Now, let's assume XEN runs at ring 0 and does the stupid thing of setting all/most of the segment registers to a single base address and extent ( the sort of LINUX/Windows mess we got into because of a desire to suport RISC, two state architecture). This means that virtual machines also run in ring 0 or in another ring, say, ring 3, the application level according to Intel.


All an attacker has to do is to restart the memory segmentation structure, for example ( see the work done at SUNY at Stoney Brook, New York) and its all over! Other possibilities exist.


There appears to be some mistake. XEN is NOT a true "B2", MLS level system with complete VM isolation (remember MULTICS and IBM Systems 360/67!). Indeed, with only one MSR register set we have the potential to capture the master register set and jump machines!


No - XEN is really useful - great for development activity BUT never, never should it be proposed as a "saviour" for security! CIO's and management may grab this as a cheap alternative to true security architecture.


Regards,
Bill

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • XEN and ia32/x86 Security
    2007-03-21 04:59:07  MichaelHunt [View]

    You technical description is not true.

    First of all, the guest OS does not run in ring 0. Therefore it can not change the cr3 register to modify the MMU data.

    Second. Segmentation is a BAD thing. We don't have flat memory because of "a desire to suport [sic] RISC", but because it's the right thing to do. The x64/amd64 architecture doesn't even have a segmented mode, or so I'm told.

    Please everyone, do not glaze over at the technical jargon of BillCaelli and just accept it. He is wrong.

Showing messages 1 through 1 of 1.