[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Looking for Hypervisor Vulerability Example



On Tue, Nov 30, 2010 at 01:08:12PM -0800, Shi Jin wrote:
> Hi there,
> 
> I am researching on virtualization security and particularly on sVirt. 
> >From this sVirt presentation[1] and this RHEL-6 documentation on sVirt [2], I read: 
>  If there is a security flaw in the hypervisor that can be exploited by a guest
>  instance, this guest may be able to not only attack the host, but also other 
>  guests running on that host. This is not theoretical; attacks already exist 
>  on hypervisors. These attacks can extend beyond the guest instance and could
>  expose other guests to attack.
> 
> I am very interested to know about the exact attacks: which version of hypervisor
> on which OS, how was the exploit used and how it affected the systems.

James Morris' presentation is referring to this published demonstration
of exploiting Xen a few years ago

  http://www.securityfocus.com/archive/1/497376
  http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf

The key difference sVirt makes is at chapter 3.4 in the paper.

In Xen world, there was a single SELinux domain (xend_t) that covered
XenD and all the QEMU processes. Since all VMs & XenD ran as the same
context, any exploited QEMU process in Xen, could access any other
guest disks, as well as any host disks.

In the KVM + sVirt world, every QEMU process is separated by a dedicated
MCS category on its SELinux context. The disks assigned to a guest are
labelled with the same MCS category. This means that an exploited QEMU
can only access disks which were explicitly assigned to it, and cannot
access the host disk devices. This prevents the step in that paper
where they overwrite various key files in the host OS root filesystem

Regards,
Daniel


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]