From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Magenheimer Subject: RE: New heap API and scrubbing Date: Wed, 11 Feb 2009 14:20:10 +0000 (GMT) Message-ID: <274d0a9a-8103-441f-9832-fbc559d0fe95@default> References: Mime-Version: 1.0 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Keir Fraser , "Xen-Devel (E-mail)" List-Id: xen-devel@lists.xenproject.org > > Moreover, it appears that there are MANY calls throughout > > Xen to free_XXXheap_page/s() but I don't see much code > > that scrubs the pages before freeing them. Isn't > > this a potential security issue? Perhaps it should > > be easier to free+scrub pages? >=20 > Pages which are currently not scrubbed are either: > 1. Freed by a domain before it dies, so it has to scrub them. > 2. Xenheap pages or anonymous domheap pages which thus=20 > contained no guest > data and no security risk in not scrubbing them. I realize that's true of "data" pages. I'm no security expert, but I think I'm referring to "sideband" attacks. I.e. if an attacker gets enough "non-data" pages (such as page-table pages) from another domain, there is eventually sufficient information to derive something useful. The security guys get into a tizzy about such things. =20 > Feel free to add a free+scrub function. OK. Since tmem has true "data" pages to free, I will do that. Thanks, Dan