[Qemu-devel] A question about postcopy safety

[Qemu-devel] A question about postcopy safety

[liutgnu]

Hi David,I'm studying the process of postcopy migration, and I found that the memory pages migrated from source to destination are not encrypted. Does this make the VM vulnerable if it's memory has been tampered with during postcopy migration?

I think precopy has less risk because the source's memory is always altering. If one page is tampered with during network transfer, with source still running, then a later version of that page may keep updating. So it would be quite difficult to track all different page versions, and tamper with the final version of one page.

But when it comes to postcopy, the situation is riskier because one specific page is only transferred once. It's easy to capture all transferring memory pages, tamper and resend.

When the memory been tampered with, the safety of the VM will be compromised.

Any ideas? thank you!Liutao

Re: [Qemu-devel] A question about postcopy safety

[Kashyap Chamarthy]

On Mon, Aug 29, 2016 at 12:51:20PM +0000, liutgnu@yahoo.com wrote:
> Hi David,I'm studying the process of postcopy migration, and I found
> that the memory pages migrated from source to destination are not
> encrypted. Does this make the VM vulnerable if it's memory has been
> tampered with during postcopy migration?

If you already haven't, you might want to take a look at this post,
which discusses the security details during live migration with
post-copy.

https://www.berrange.com/posts/2016/08/16/improving-qemu-security-part-7-tls-support-for-migration/

It also has an example of setting the 'tls-creds' field with
'migrate-set-parameters' QMP command to use TLS, before triggering
'migrate' QMP command.

> I think precopy has less risk because the source's memory is always
> altering. If one page is tampered with during network transfer, with
> source still running, then a later version of that page may keep
> updating. So it would be quite difficult to track all different page
> versions, and tamper with the final version of one page.
> 
> But when it comes to postcopy, the situation is riskier because one
> specific page is only transferred once. It's easy to capture all
> transferring memory pages, tamper and resend.
> 
> When the memory been tampered with, the safety of the VM will be
> compromised.
> 
> Any ideas? thank you!Liutao

-- 
/kashyap

Re: [Qemu-devel] A question about postcopy safety

[Dr. David Alan Gilbert]

* liutgnu@yahoo.com (liutgnu@yahoo.com) wrote:
> Hi David,

Hi Liutao,

> I'm studying the process of postcopy migration, and I found that the memory pages migrated from source to destination are not encrypted. Does this make the VM vulnerable if it's memory has been tampered with during postcopy migration?
> 
> I think precopy has less risk because the source's memory is always altering. If one page is tampered with during network transfer, with source still running, then a later version of that page may keep updating. So it would be quite difficult to track all different page versions, and tamper with the final version of one page.
> 
> But when it comes to postcopy, the situation is riskier because one specific page is only transferred once. It's easy to capture all transferring memory pages, tamper and resend.

I don't think there's much difference between precopy and postcopy for security;
the only secure way to do migration is over an encrypted transport and that solves
it for both precopy and postcopy.

I don't think it would be that hard for a malicious person to track the pages in precopy;
and indeed what they could do is wait until an interesting page comes along
(say one with a hash or the data they're interested in) and then insert a new version
of that page later with their own nasty version on - postcopy wouldn't allow
that second version.

The challenge is to get a nice fast high speed encryption layer, and for post-copy
it should have low added latency.

> 
> When the memory been tampered with, the safety of the VM will be compromised.
> 
> Any ideas? thank you!Liutao

Dave

--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] A question about postcopy safety

[Daniel P. Berrange]

On Mon, Sep 05, 2016 at 02:52:14PM +0100, Dr. David Alan Gilbert wrote:
> * liutgnu@yahoo.com (liutgnu@yahoo.com) wrote:
> > Hi David,
> 
> Hi Liutao,
> 
> > I'm studying the process of postcopy migration, and I found that the memory pages migrated from source to destination are not encrypted. Does this make the VM vulnerable if it's memory has been tampered with during postcopy migration?
> > 
> > I think precopy has less risk because the source's memory is always altering. If one page is tampered with during network transfer, with source still running, then a later version of that page may keep updating. So it would be quite difficult to track all different page versions, and tamper with the final version of one page.
> > 
> > But when it comes to postcopy, the situation is riskier because one specific page is only transferred once. It's easy to capture all transferring memory pages, tamper and resend.
> 
> I don't think there's much difference between precopy and postcopy for security;
> the only secure way to do migration is over an encrypted transport and that solves
> it for both precopy and postcopy.

Agreed, there's no real world difference in the security of pre & post copy.
If you care about security there's no avoiding the need to use an encrypted
transport.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|