| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] VM isolation
> Could someone please point me to a document that describes how the host
> protects isolates the virtual machine to prevent accessing information
> on other hosts. For example, preventing Domain 1 from looking at Domain
> 2's memory space, hardware I/O, or network traffic (i.e. promiscuous
> mode).
For PV guests, memory space is protected by the means of Xen validating each
pagetable update that's made by a guest. This prevents a guest from ever
generating a mapping that points to another guest.
For HVM guests, the pagetables are "shadowed" in order to virtualise the
physical address space; this means that there's actually no means for a guest
to specify a mapping of another guest's memory.
Grant tables are used to share memory in a secure, capability-based way.
IO is done through virtual interfaces, which are conventionally set up to
enforce isolation.
If you assign a physical PCI device to a guest then you throw away memory
isolation. A guest with physical PCI access could (in the face of a
sufficiently motivated attacker) own the whole host. So don't do that if
it's security critical :-)
Network traffic I'm not quite familiar with enough to evaluate in detail.
> Essentially, I want to be able to rate the isolation between wide
> open, and logically separate hardware.
Hope that helps some.
There are some descriptions of the workings here:
http://www.cl.cam.ac.uk/research/srg/netos/xen/architecture.html which may
illuminate too.
Cheers,
Mark
--
Dave: Just a question. What use is a unicyle with no seat? And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home
xen.org, 