[Gllug] Security from scratch or just stick with Astaro?

Richard Jones rich at annexia.org
Fri Apr 11 12:28:22 UTC 2008 

On Fri, Apr 11, 2008 at 08:03:16AM +0100, Nix wrote:
> (Yes, it is theoretically less secure because packets must traverse the
> VM and host on their way in. In practice? Not only have I had no
> complaints, running firewalls on a VM is not uncommon and I've never
> heard of anyone who kept their guest VMs up to date being compromised
> because they're using a VM. user-mode-linux is particularly suitable
> here because it's the *same code* as you're running on the host kernel
> anyway, so the vulnerability surface doesn't increase much.
[...]
> > I am thinking there is a message I have missed. :(
> 
> It seems more like theoretical considerations than anything grounded in
> reason to me.

There is more than a theoretical increase especially with Xen.  The
Xen hypervisor duplicates a lot of initialization code from Linux, and
maybe in future will duplicate more drivers, except that this code is
less well tested and receives fewer eyeballs than the code in Linux.

The really big problem where the "surface" of vulnerability gets
bigger is with the emulated devices that a guest can access.  Everyone
basically uses qemu to emulate these devices and qemu has a small
history of vulnerabilities, eg. CVE-2007-1320 (emulated Cirrus Logic
bounds check) and CVE-2007-1321 (emulated NE2K buffer overflow).

With Xen, the qemu process runs as root, but it was never designed for
that.  Here's an email you may [not] enjoy reading:
http://marc.info/?l=debian-security&m=120343592917055&w=2 (thanks to
Dan Berrange for pointing that one out).

Another good route for compromising the host from the guest is through
monitoring and provisioning tools.  For example you may be tempted to
try to mount a guest's partitions inside your host, but no one really
knows what happens if the guest is being malicious and creates
hand-crafted partition tables, filesystem superblocks or LVM PV
metadata.  Linux has some defences against this sort of vulnerability
(back in the bad old days you used to be able to compromise a Linux
machine by inserting a malicious CD-ROM or floppy disk, but those
vulnerabilities are now mostly gone), but I'm sure with LVM + the huge
range of filesystems supported for general block devices there are a
lot more waiting to be found.

Rich.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list