Re: [libvirt] Looking for Hypervisor Vulerability Example
On Thu, Dec 02, 2010 at 03:04:35PM -0800, Shi Jin wrote: James Morris' presentation is referring to this published demonstration of exploiting Xen a few years ago http://www.securityfocus.com/archive/1/497376 http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf The key difference sVirt makes is at chapter 3.4 in the paper. In Xen world, there was a single SELinux domain (xend_t) that covered XenD and all the QEMU processes. Since all VMs XenD ran as the same context, any exploited QEMU process in Xen, could access any other guest disks, as well as any host disks. In the KVM + sVirt world, every QEMU process is separated by a dedicated MCS category on its SELinux context. The disks assigned to a guest are labelled with the same MCS category. This means that an exploited QEMU can only access disks which were explicitly assigned to it, and cannot access the host disk devices. This prevents the step in that paper where they overwrite various key files in the host OS root filesystem Is there any well documented KVM exploit that can be reproduced without too much trouble, assuming SELinux (sVirt) is turned off? Then I can demonostrate the effect of sVirt by turning it on. I'm not aware of any documented KVM exploit. Regards, Daniel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Looking for Hypervisor Vulerability Example
On Tue, Nov 30, 2010 at 01:08:12PM -0800, Shi Jin wrote: Hi there, I am researching on virtualization security and particularly on sVirt. From this sVirt presentation[1] and this RHEL-6 documentation on sVirt [2], I read: If there is a security flaw in the hypervisor that can be exploited by a guest instance, this guest may be able to not only attack the host, but also other guests running on that host. This is not theoretical; attacks already exist on hypervisors. These attacks can extend beyond the guest instance and could expose other guests to attack. I am very interested to know about the exact attacks: which version of hypervisor on which OS, how was the exploit used and how it affected the systems. James Morris' presentation is referring to this published demonstration of exploiting Xen a few years ago http://www.securityfocus.com/archive/1/497376 http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf The key difference sVirt makes is at chapter 3.4 in the paper. In Xen world, there was a single SELinux domain (xend_t) that covered XenD and all the QEMU processes. Since all VMs XenD ran as the same context, any exploited QEMU process in Xen, could access any other guest disks, as well as any host disks. In the KVM + sVirt world, every QEMU process is separated by a dedicated MCS category on its SELinux context. The disks assigned to a guest are labelled with the same MCS category. This means that an exploited QEMU can only access disks which were explicitly assigned to it, and cannot access the host disk devices. This prevents the step in that paper where they overwrite various key files in the host OS root filesystem Regards, Daniel -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] Looking for Hypervisor Vulerability Example
James Morris' presentation is referring to this published demonstration of exploiting Xen a few years ago http://www.securityfocus.com/archive/1/497376 http://invisiblethingslab.com/resources/misc08/xenfb-adventures-10.pdf The key difference sVirt makes is at chapter 3.4 in the paper. In Xen world, there was a single SELinux domain (xend_t) that covered XenD and all the QEMU processes. Since all VMs XenD ran as the same context, any exploited QEMU process in Xen, could access any other guest disks, as well as any host disks. In the KVM + sVirt world, every QEMU process is separated by a dedicated MCS category on its SELinux context. The disks assigned to a guest are labelled with the same MCS category. This means that an exploited QEMU can only access disks which were explicitly assigned to it, and cannot access the host disk devices. This prevents the step in that paper where they overwrite various key files in the host OS root filesystem Regards, Daniel Cool! Is there any well documented KVM exploit that can be reproduced without too much trouble, assuming SELinux (sVirt) is turned off? Then I can demonostrate the effect of sVirt by turning it on. Thank you very much. Shi -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] Looking for Hypervisor Vulerability Example
Hi there, I am researching on virtualization security and particularly on sVirt. From this sVirt presentation[1] and this RHEL-6 documentation on sVirt [2], I read: If there is a security flaw in the hypervisor that can be exploited by a guest instance, this guest may be able to not only attack the host, but also other guests running on that host. This is not theoretical; attacks already exist on hypervisors. These attacks can extend beyond the guest instance and could expose other guests to attack. I am very interested to know about the exact attacks: which version of hypervisor on which OS, how was the exploit used and how it affected the systems. I want to be able to reproduce one of the attacks in our lab so that I can demonstrate to people on the security issues and then how sVirt could be used to actually prevent to attacks on hosting system and other VMs. I believe a real demonstration is better than a million words. I appreciate your help. Shi [1]:http://namei.org/presentations/svirt-lca-2009.pdf [2]:http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/chap-sVirt.html -- Shi Jin, PhD -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
