[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-users
Subject:    Re: [Xen-users] Live Migration Config
From:       Mark Williamson <mark.williamson () cl ! cam ! ac ! uk>
Date:       2005-10-30 1:43:56
Message-ID: 200510300143.56718.mark.williamson () cl ! cam ! ac ! uk
[Download RAW message or body]

> It's actually a huge security hole since a migrating domU carries its
> device mappings to the target machine.   Basically, you  could create domU,
> map one of its disks to say /dev/hdb, migrate it to a target machine and
> gain access to /dev/hdb on the target.   Same goes for any file used as a
> disk on the source/target dom0.

Yeah OK, it's horrid actually :-)

Xend trusts anything the incoming config tells it...  Could get nasty very 
quickly from both security and DoS perspectives.

> Minimally, Xen should implement a simple hosts.allow hosts.deny mechanism
> for migration so that a host can limit which other hosts can migrate in.  
> Relying on network isolation using a separate management network isn't
> always practical.

True...  But it only really works if you're reasonably sure attackers can't 
get root on any system.  If you have virtual machines that could have been 
rooted by someone malicious they can still spoof IP addresses, sniff the 
contents of other domUs that are currently being migrated, etc.

At least using a separate virtual lan would be nice, but there should still be 
more support in Xend for a sanely secure mixed network.  It'll come, 
eventually...

Cheers,
Mark

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
[prev in list] [next in list] [prev in thread] [next in thread]