RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

The Xen Security Team has dealt with a number of issues recently where
it wasn't exactly clear whether we should issue an advisory or not:
the Xen Security Response Process only mentiones "'vulnerabilities",
without specifying what constitutes a vulnerability.

Issuing advisories has a cost: It costs the security team significant
amounts of time to craft and send the advisories; it costs many of our
downstreams time to apply, build, and test patches; and every advisory
has the risk that it will be picked up and blown out of proportion by
the media.  So we want to make sure to only issue advisories for
issues that are worth the cost.

We would like guidelines from the community about what sorts of issues
should be considered security issues (and thus will have advisories
issued).  Below is a draft of a section I* am proposing to be added to
the Xen Security Policy, just under the section "Specific Process".

Most of it is just encoding long-established practice.  But there are
two key changes and / or clarifications that deserve attention and
discussion: criteria 2c (leaking of mundane information will not be
considered a security issue unless it may contain sensitive guest or
user data), and 4 (if no known operating systems are vulnerable to a
bug, no advisory will be issued).

Please give feedback.  Thanks!

* This has my own proposal; it is inspired by discussions the security
team has had, but it has not been vetted by them.

====

# Scope of vulnerabilities covered by this process

All security issues are bugs, but not all bugs are security issues.
This section is meant to be a guide from the Xen community to the Xen
security response team regarding which bugs should have advisories
issued for them.  Discoverers are encouraged to err on the side of
caution and report any potential vulnerabilities to the security team.
These guidelines are not meant to be set in stone; if they do not fit
your needs as a user, please raise the issue on xen-devel.

Every potential vulnerability will have a source context, an effect,
and a target effect context.  For instance, a bug may allow a guest
user (source context) to escalate their privileges (effect) to that of
the guest kernel (target context); or it may allow a guest
administrator (source context) to severely degrade the disk
performance (effect) of another guest (target context).

Only the following source/target context pairs will be considered
vulnerabilities:

1a. The source is the guest userspace, guest kernel, or QEMU stubdomain,
and the target is the hypervisor, dom0 and toolstack.

1b. The source is the guest userspace, guest kernel, or QEMU
stubdomain, and the target is another guest.

1c. The source is guest userspace, and the target is the guest kernel,
or other guest userspace processes.

This means, for instance, that bug which allows a guest kernel to
perform a DoS on itself will not be considered a security
vulnerability.  It also means, at the moment, that the security team
will not issue advisories for highly disaggregated environments.

Only some effects are considered vulnerabilities; and whether they are
vulnerabilities depends on the target context:

2a. Privilege escalation: causing arbitrary code to be run in the target
context.  This will be considered a vulnerability in all cases above (1a-c).

2b. Denial of service: Causing termination of or significant
degradation of performance in the target context.  This will be
considered a vulnerability in all cases above (1a-c).

2c. Information leakage: The attacker in the source context is able to
obtain information from the target context.  This will be considered a
vulnerability in all cases in 1b and 1c.  It will only be considered a
vulnerability in the case of 1a if information obtained is considered
sensitive in and of itself: for example, host administrator passwords
or information about other users on the host.

In particular, information leakage from Xen, domain 0, or the
toolstack to an unprivileged guest will *not* be considered a
vulnerability unless there is a chance that that information may
contain information from a guest, or other sensitive information from
domain 0.  For instance, copying uninitialized data from Xen's stack
will generally be considered a vulnerability, because it may contain
stale guest data.  But if it can be shown that the data copied will
always be Xen-internal information (for instance, pointers or other
internal structures), then an advisory will not be issued.  This is
the case even if that information could be useful in making another
exploit more effective (for instance, if it exposed virtual addresses
of sensitive data structures).

3. The security team will only issue advisories for certain
configurations.  Bugs in Xen features listed as "experimental" or
"tech preview" will not have advisories issued for them.  Bugs in QEMU
will only have advisories issued when configured as described in
docs/misc/qemu-xen-security.

4. The security team will only issue an advisory if there is a known
combination of software in which the vulnerability can be exploited.

In most cases, the software which contains the bug is also the target
of the attack: that is, a bug in Xen allows an unprivileged user to
crash Xen, a bug in QEMU allows an unprivileged user to escalate its
privileges to that of the QEMU process.  In these cases "using Xen" or
"using QEMU" imples "being vulnerable".

But this is not always so: for instance, a bug in the Xen instruction
emulator might allow a guest user to attack the guest kernel, *if* the
guest kernel behaves in a certain way, but not if it behaves in other
ways.  In such a case, a bug will only be considered a vulnerability
if there are known operating systems on which the attack can be
executed.  If no operating system can be found which allows such an
attack, no advisory will be issued.

If a bug requires a vulnerable operating system to be exploitable, the
Xen Security Team will pro-actively investigate the vulnerability of
the following open-source operating systems: Linux, OpenBSD, FreeBSD,
and NetBSD.  The security team may also test or otherwise investigate
the vulnerability of some proprietary operating systems.

(An example of this scenario is XSA-176: There was a bug in the
handling of the pagetable PS bits for L3 and L4; but no known
operating systems were vulnerable to an exploit as a result of the
bug.  Under these guidelines, XSA-176 would not have been issued.)

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

On Wed, Jan 4, 2017 at 12:36 PM, George Dunlap <george.dunlap@citrix.com> wrote:
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.
>
> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vulnerable".
>
> But this is not always so: for instance, a bug in the Xen instruction
> emulator might allow a guest user to attack the guest kernel, *if* the
> guest kernel behaves in a certain way, but not if it behaves in other
> ways.  In such a case, a bug will only be considered a vulnerability
> if there are known operating systems on which the attack can be
> executed.  If no operating system can be found which allows such an
> attack, no advisory will be issued.
>
> If a bug requires a vulnerable operating system to be exploitable, the
> Xen Security Team will pro-actively investigate the vulnerability of
> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
> and NetBSD.  The security team may also test or otherwise investigate
> the vulnerability of some proprietary operating systems.
>
> (An example of this scenario is XSA-176: There was a bug in the
> handling of the pagetable PS bits for L3 and L4; but no known
> operating systems were vulnerable to an exploit as a result of the
> bug.  Under these guidelines, XSA-176 would not have been issued.)

One thing to consider: This formulation would also exclude bugs in
libxl that weren't exploitable under either xl or libvirt (the only
known toolstacks that link against libxl).  I'm of two minds about
that restriction; and I'm not immediately sure what promise we would
make instead.  (Make an exception for libxl, perhaps?  Or specify that
it's only operating systems for which there must be a known example?)

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 04.01.17 at 13:36, <george.dunlap@citrix.com> wrote:
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.
> 
> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vulnerable".
> 
> But this is not always so: for instance, a bug in the Xen instruction
> emulator might allow a guest user to attack the guest kernel, *if* the
> guest kernel behaves in a certain way, but not if it behaves in other
> ways.  In such a case, a bug will only be considered a vulnerability
> if there are known operating systems on which the attack can be
> executed.  If no operating system can be found which allows such an
> attack, no advisory will be issued.

Both positively identifying an OS and proving a particular OS is
unaffected will be kind of hard for closed source OSes. Hence I
think ...

> If a bug requires a vulnerable operating system to be exploitable, the
> Xen Security Team will pro-actively investigate the vulnerability of
> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
> and NetBSD.  The security team may also test or otherwise investigate
> the vulnerability of some proprietary operating systems.

... that for a bug to not be a vulnerability, at the very least
Windows would need to be proven to be unaffected. If in
doubt, an advisory should be issued.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

On Wed, Jan 4, 2017 at 1:16 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>> On 04.01.17 at 13:36, <george.dunlap@citrix.com> wrote:
>> 4. The security team will only issue an advisory if there is a known
>> combination of software in which the vulnerability can be exploited.
>>
>> In most cases, the software which contains the bug is also the target
>> of the attack: that is, a bug in Xen allows an unprivileged user to
>> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
>> privileges to that of the QEMU process.  In these cases "using Xen" or
>> "using QEMU" imples "being vulnerable".
>>
>> But this is not always so: for instance, a bug in the Xen instruction
>> emulator might allow a guest user to attack the guest kernel, *if* the
>> guest kernel behaves in a certain way, but not if it behaves in other
>> ways.  In such a case, a bug will only be considered a vulnerability
>> if there are known operating systems on which the attack can be
>> executed.  If no operating system can be found which allows such an
>> attack, no advisory will be issued.
>
> Both positively identifying an OS and proving a particular OS is
> unaffected will be kind of hard for closed source OSes. Hence I
> think ...
>
>> If a bug requires a vulnerable operating system to be exploitable, the
>> Xen Security Team will pro-actively investigate the vulnerability of
>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>> and NetBSD.  The security team may also test or otherwise investigate
>> the vulnerability of some proprietary operating systems.
>
> ... that for a bug to not be a vulnerability, at the very least
> Windows would need to be proven to be unaffected. If in
> doubt, an advisory should be issued.

Quite a bit about Windows' internals are understood, by people who
write drivers, by people who have access to the source code, by people
who observe Windows' behavior as a guest, and so on.  So I expect that
with the expertise of the organizations in the security team at the
moment, in practice we would have a pretty good idea whether Windows
would be vulnerable or not.  I just didn't want to make any promises,
since (as you say) we can't look at the source code ourselves.  I
think we should make a reasonable effort to ascertain whether Windows
is vulnerable; but I think we only need to be "reasonably certain"
that Windows is not vulnerable.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Wei Liu]

On Wed, Jan 04, 2017 at 12:43:02PM +0000, George Dunlap wrote:
> On Wed, Jan 4, 2017 at 12:36 PM, George Dunlap <george.dunlap@citrix.com> wrote:
> > 4. The security team will only issue an advisory if there is a known
> > combination of software in which the vulnerability can be exploited.
> >
> > In most cases, the software which contains the bug is also the target
> > of the attack: that is, a bug in Xen allows an unprivileged user to
> > crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> > privileges to that of the QEMU process.  In these cases "using Xen" or
> > "using QEMU" imples "being vulnerable".
> >
> > But this is not always so: for instance, a bug in the Xen instruction
> > emulator might allow a guest user to attack the guest kernel, *if* the
> > guest kernel behaves in a certain way, but not if it behaves in other
> > ways.  In such a case, a bug will only be considered a vulnerability
> > if there are known operating systems on which the attack can be
> > executed.  If no operating system can be found which allows such an
> > attack, no advisory will be issued.
> >
> > If a bug requires a vulnerable operating system to be exploitable, the
> > Xen Security Team will pro-actively investigate the vulnerability of
> > the following open-source operating systems: Linux, OpenBSD, FreeBSD,
> > and NetBSD.  The security team may also test or otherwise investigate
> > the vulnerability of some proprietary operating systems.
> >
> > (An example of this scenario is XSA-176: There was a bug in the
> > handling of the pagetable PS bits for L3 and L4; but no known
> > operating systems were vulnerable to an exploit as a result of the
> > bug.  Under these guidelines, XSA-176 would not have been issued.)
> 
> One thing to consider: This formulation would also exclude bugs in
> libxl that weren't exploitable under either xl or libvirt (the only
> known toolstacks that link against libxl).  I'm of two minds about
> that restriction; and I'm not immediately sure what promise we would
> make instead.  (Make an exception for libxl, perhaps?  Or specify that
> it's only operating systems for which there must be a known example?)
> 

FWIW I think restricting to known widely used open source toolstack (xl
and libvirt as of writing) is reasonable, given security team has
limited resources.

Wei.

>  -George
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Stefano Stabellini]

On Wed, 4 Jan 2017, George Dunlap wrote:
> The Xen Security Team has dealt with a number of issues recently where
> it wasn't exactly clear whether we should issue an advisory or not:
> the Xen Security Response Process only mentiones "'vulnerabilities",
> without specifying what constitutes a vulnerability.
> 
> Issuing advisories has a cost: It costs the security team significant
> amounts of time to craft and send the advisories; it costs many of our
> downstreams time to apply, build, and test patches; and every advisory
> has the risk that it will be picked up and blown out of proportion by
> the media.  So we want to make sure to only issue advisories for
> issues that are worth the cost.
> 
> We would like guidelines from the community about what sorts of issues
> should be considered security issues (and thus will have advisories
> issued).  Below is a draft of a section I* am proposing to be added to
> the Xen Security Policy, just under the section "Specific Process".
> 
> Most of it is just encoding long-established practice.  But there are
> two key changes and / or clarifications that deserve attention and
> discussion: criteria 2c (leaking of mundane information will not be
> considered a security issue unless it may contain sensitive guest or
> user data), and 4 (if no known operating systems are vulnerable to a
> bug, no advisory will be issued).
> 
> Please give feedback.  Thanks!
> 
> * This has my own proposal; it is inspired by discussions the security
> team has had, but it has not been vetted by them.
> 
> ====
> 
> # Scope of vulnerabilities covered by this process
> 
> All security issues are bugs, but not all bugs are security issues.
> This section is meant to be a guide from the Xen community to the Xen
> security response team regarding which bugs should have advisories
> issued for them.  Discoverers are encouraged to err on the side of
> caution and report any potential vulnerabilities to the security team.
> These guidelines are not meant to be set in stone; if they do not fit
> your needs as a user, please raise the issue on xen-devel.
> 
> Every potential vulnerability will have a source context, an effect,
> and a target effect context.  For instance, a bug may allow a guest
> user (source context) to escalate their privileges (effect) to that of
> the guest kernel (target context); or it may allow a guest
> administrator (source context) to severely degrade the disk
> performance (effect) of another guest (target context).
> 
> Only the following source/target context pairs will be considered
> vulnerabilities:
> 
> 1a. The source is the guest userspace, guest kernel, or QEMU stubdomain,
> and the target is the hypervisor, dom0 and toolstack.
> 
> 1b. The source is the guest userspace, guest kernel, or QEMU
> stubdomain, and the target is another guest.
> 
> 1c. The source is guest userspace, and the target is the guest kernel,
> or other guest userspace processes.
> 
> This means, for instance, that bug which allows a guest kernel to
> perform a DoS on itself will not be considered a security
> vulnerability.  It also means, at the moment, that the security team
> will not issue advisories for highly disaggregated environments.
> 
> Only some effects are considered vulnerabilities; and whether they are
> vulnerabilities depends on the target context:
> 
> 2a. Privilege escalation: causing arbitrary code to be run in the target
> context.  This will be considered a vulnerability in all cases above (1a-c).
> 
> 2b. Denial of service: Causing termination of or significant
> degradation of performance in the target context.  This will be
> considered a vulnerability in all cases above (1a-c).
> 
> 2c. Information leakage: The attacker in the source context is able to
> obtain information from the target context.  This will be considered a
> vulnerability in all cases in 1b and 1c.  It will only be considered a
> vulnerability in the case of 1a if information obtained is considered
> sensitive in and of itself: for example, host administrator passwords
> or information about other users on the host.
> 
> In particular, information leakage from Xen, domain 0, or the
> toolstack to an unprivileged guest will *not* be considered a
> vulnerability unless there is a chance that that information may
> contain information from a guest, or other sensitive information from
> domain 0.  For instance, copying uninitialized data from Xen's stack
> will generally be considered a vulnerability, because it may contain
> stale guest data.  But if it can be shown that the data copied will
> always be Xen-internal information (for instance, pointers or other
> internal structures), then an advisory will not be issued.  This is
> the case even if that information could be useful in making another
> exploit more effective (for instance, if it exposed virtual addresses
> of sensitive data structures).
> 
> 3. The security team will only issue advisories for certain
> configurations.  Bugs in Xen features listed as "experimental" or
> "tech preview" will not have advisories issued for them.  Bugs in QEMU
> will only have advisories issued when configured as described in
> docs/misc/qemu-xen-security.
> 
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.

+1 on the whole doc, thanks George

I'd also like to point out that this wording also prevents theoretical
vulnerabilities, such as XSA-166, to turn into XSAs.


> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vulnerable".
> 
> But this is not always so: for instance, a bug in the Xen instruction
> emulator might allow a guest user to attack the guest kernel, *if* the
> guest kernel behaves in a certain way, but not if it behaves in other
> ways.  In such a case, a bug will only be considered a vulnerability
> if there are known operating systems on which the attack can be
> executed.  If no operating system can be found which allows such an
> attack, no advisory will be issued.
> 
> If a bug requires a vulnerable operating system to be exploitable, the
> Xen Security Team will pro-actively investigate the vulnerability of
> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
> and NetBSD.  The security team may also test or otherwise investigate
> the vulnerability of some proprietary operating systems.
> 
> (An example of this scenario is XSA-176: There was a bug in the
> handling of the pagetable PS bits for L3 and L4; but no known
> operating systems were vulnerable to an exploit as a result of the
> bug.  Under these guidelines, XSA-176 would not have been issued.)
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Ian Jackson]

George Dunlap writes ("[Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability"):
> If a bug requires a vulnerable operating system to be exploitable, the
> Xen Security Team will pro-actively investigate the vulnerability of
> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
> and NetBSD.  The security team may also test or otherwise investigate
> the vulnerability of some proprietary operating systems.

I like this whole document.

+1

I think the paragraph I quote above is the most difficult but it
strikes the right balance between what we can promise and what we
would like to deliver.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

On Wed, Jan 4, 2017 at 2:48 PM, George Dunlap <george.dunlap@citrix.com> wrote:
> On Wed, Jan 4, 2017 at 1:16 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>> On 04.01.17 at 13:36, <george.dunlap@citrix.com> wrote:
>>> 4. The security team will only issue an advisory if there is a known
>>> combination of software in which the vulnerability can be exploited.
>>>
>>> In most cases, the software which contains the bug is also the target
>>> of the attack: that is, a bug in Xen allows an unprivileged user to
>>> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
>>> privileges to that of the QEMU process.  In these cases "using Xen" or
>>> "using QEMU" imples "being vulnerable".
>>>
>>> But this is not always so: for instance, a bug in the Xen instruction
>>> emulator might allow a guest user to attack the guest kernel, *if* the
>>> guest kernel behaves in a certain way, but not if it behaves in other
>>> ways.  In such a case, a bug will only be considered a vulnerability
>>> if there are known operating systems on which the attack can be
>>> executed.  If no operating system can be found which allows such an
>>> attack, no advisory will be issued.
>>
>> Both positively identifying an OS and proving a particular OS is
>> unaffected will be kind of hard for closed source OSes. Hence I
>> think ...
>>
>>> If a bug requires a vulnerable operating system to be exploitable, the
>>> Xen Security Team will pro-actively investigate the vulnerability of
>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>> and NetBSD.  The security team may also test or otherwise investigate
>>> the vulnerability of some proprietary operating systems.
>>
>> ... that for a bug to not be a vulnerability, at the very least
>> Windows would need to be proven to be unaffected. If in
>> doubt, an advisory should be issued.
>
> Quite a bit about Windows' internals are understood, by people who
> write drivers, by people who have access to the source code, by people
> who observe Windows' behavior as a guest, and so on.  So I expect that
> with the expertise of the organizations in the security team at the
> moment, in practice we would have a pretty good idea whether Windows
> would be vulnerable or not.  I just didn't want to make any promises,
> since (as you say) we can't look at the source code ourselves.  I
> think we should make a reasonable effort to ascertain whether Windows
> is vulnerable; but I think we only need to be "reasonably certain"
> that Windows is not vulnerable.

I think so far the only concern raised.  I mainly worded it the way
that I did to "balance what we can promise and what we would like to
deliver" -- that is, it promises that we will look at open-source
operating systems, and implies that we will make a best-effort to look
at Windows as well.

Jan, are you happy with the wording the way it is?  If not, could you
make some concrete suggestions for how you think it could be improved?

Thanks,
 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 23.01.17 at 12:27, <george.dunlap@citrix.com> wrote:
> On Wed, Jan 4, 2017 at 2:48 PM, George Dunlap <george.dunlap@citrix.com> wrote:
>> On Wed, Jan 4, 2017 at 1:16 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>>> On 04.01.17 at 13:36, <george.dunlap@citrix.com> wrote:
>>>> 4. The security team will only issue an advisory if there is a known
>>>> combination of software in which the vulnerability can be exploited.
>>>>
>>>> In most cases, the software which contains the bug is also the target
>>>> of the attack: that is, a bug in Xen allows an unprivileged user to
>>>> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
>>>> privileges to that of the QEMU process.  In these cases "using Xen" or
>>>> "using QEMU" imples "being vulnerable".
>>>>
>>>> But this is not always so: for instance, a bug in the Xen instruction
>>>> emulator might allow a guest user to attack the guest kernel, *if* the
>>>> guest kernel behaves in a certain way, but not if it behaves in other
>>>> ways.  In such a case, a bug will only be considered a vulnerability
>>>> if there are known operating systems on which the attack can be
>>>> executed.  If no operating system can be found which allows such an
>>>> attack, no advisory will be issued.
>>>
>>> Both positively identifying an OS and proving a particular OS is
>>> unaffected will be kind of hard for closed source OSes. Hence I
>>> think ...
>>>
>>>> If a bug requires a vulnerable operating system to be exploitable, the
>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>> and NetBSD.  The security team may also test or otherwise investigate
>>>> the vulnerability of some proprietary operating systems.
>>>
>>> ... that for a bug to not be a vulnerability, at the very least
>>> Windows would need to be proven to be unaffected. If in
>>> doubt, an advisory should be issued.
>>
>> Quite a bit about Windows' internals are understood, by people who
>> write drivers, by people who have access to the source code, by people
>> who observe Windows' behavior as a guest, and so on.  So I expect that
>> with the expertise of the organizations in the security team at the
>> moment, in practice we would have a pretty good idea whether Windows
>> would be vulnerable or not.  I just didn't want to make any promises,
>> since (as you say) we can't look at the source code ourselves.  I
>> think we should make a reasonable effort to ascertain whether Windows
>> is vulnerable; but I think we only need to be "reasonably certain"
>> that Windows is not vulnerable.
> 
> I think so far the only concern raised.  I mainly worded it the way
> that I did to "balance what we can promise and what we would like to
> deliver" -- that is, it promises that we will look at open-source
> operating systems, and implies that we will make a best-effort to look
> at Windows as well.
> 
> Jan, are you happy with the wording the way it is?  If not, could you
> make some concrete suggestions for how you think it could be improved?

"If a bug requires a vulnerable operating system to be exploitable, the
 Xen Security Team will pro-actively investigate the vulnerability of
 the following open-source operating systems: Linux, OpenBSD, FreeBSD,
 and NetBSD.  The security team will also test or otherwise investigate
 the vulnerability of supported Windows versions, and it may also do so
 for some other proprietary operating systems."

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Ian Jackson]

Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen security policy about what constitutes a vulnerability"):
> "If a bug requires a vulnerable operating system to be exploitable, the
>  Xen Security Team will pro-actively investigate the vulnerability of
>  the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>  and NetBSD.  The security team will also test or otherwise investigate
>  the vulnerability of supported Windows versions, and it may also do so
>  for some other proprietary operating systems."

I don't think we can promise to come up with a definitely conclusion
for any proprietary system, can we ?  Answering such a question for
Windows is not within our power because we don't have the source code.

The question, which the above text leaves unclear, is, what do we do
if we aren't sure whether there are configurations of Windows which
have the exposed behaviour.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen security 
> policy about what constitutes a vulnerability"):
>> "If a bug requires a vulnerable operating system to be exploitable, the
>>  Xen Security Team will pro-actively investigate the vulnerability of
>>  the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>  and NetBSD.  The security team will also test or otherwise investigate
>>  the vulnerability of supported Windows versions, and it may also do so
>>  for some other proprietary operating systems."
> 
> I don't think we can promise to come up with a definitely conclusion
> for any proprietary system, can we ?  Answering such a question for
> Windows is not within our power because we don't have the source code.

Well - see George's original mail, which the above was a reply to.
He has suggested that there's enough knowledge around.

> The question, which the above text leaves unclear, is, what do we do
> if we aren't sure whether there are configurations of Windows which
> have the exposed behaviour.

I think I had given my opinion on this in an earlier mail: If in doubt,
we ought to issue an advisory.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@suse.com> wrote:
> 
>>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen security 
>> policy about what constitutes a vulnerability"):
>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>> Xen Security Team will pro-actively investigate the vulnerability of
>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>> and NetBSD.  The security team will also test or otherwise investigate
>>> the vulnerability of supported Windows versions, and it may also do so
>>> for some other proprietary operating systems."
>> 
>> I don't think we can promise to come up with a definitely conclusion
>> for any proprietary system, can we ?  Answering such a question for
>> Windows is not within our power because we don't have the source code.
> 
> Well - see George's original mail, which the above was a reply to.
> He has suggested that there's enough knowledge around.
> 
>> The question, which the above text leaves unclear, is, what do we do
>> if we aren't sure whether there are configurations of Windows which
>> have the exposed behaviour.
> 
> I think I had given my opinion on this in an earlier mail: If in doubt,
> we ought to issue an advisory.

And my response (in not so many words) was that the statement, “If in doubt we ought to issue an advisory” is too black-and-white, and (it seems to me) will probably always result in an advisory being issued; thus making the whole discussion moot.  

But perhaps we’re using the word “doubt” a bit differently.  In the case of XSA-176 and 192, for instance, would you have said that we had any doubts about whether Windows was vulnerable?

In any case, I don’t think the text as proposed promises to come up with a definite conclusion for *any* operating system; what it promises is to “test” or “investigate”.  I think that is certainly something we should be able to promise to do. 

 -George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 24.01.17 at 16:01, <George.Dunlap@citrix.com> wrote:

>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@suse.com> wrote:
>> 
>>>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
> security 
>>> policy about what constitutes a vulnerability"):
>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>> the vulnerability of supported Windows versions, and it may also do so
>>>> for some other proprietary operating systems."
>>> 
>>> I don't think we can promise to come up with a definitely conclusion
>>> for any proprietary system, can we ?  Answering such a question for
>>> Windows is not within our power because we don't have the source code.
>> 
>> Well - see George's original mail, which the above was a reply to.
>> He has suggested that there's enough knowledge around.
>> 
>>> The question, which the above text leaves unclear, is, what do we do
>>> if we aren't sure whether there are configurations of Windows which
>>> have the exposed behaviour.
>> 
>> I think I had given my opinion on this in an earlier mail: If in doubt,
>> we ought to issue an advisory.
> 
> And my response (in not so many words) was that the statement, “If in doubt 
> we ought to issue an advisory” is too black-and-white, and (it seems to me) 
> will probably always result in an advisory being issued; thus making the 
> whole discussion moot.  
> 
> But perhaps we’re using the word “doubt” a bit differently.  In the case of 
> XSA-176 and 192, for instance, would you have said that we had any doubts 
> about whether Windows was vulnerable?

For 192 - no. For 176 I wouldn't be that sure.

> In any case, I don’t think the text as proposed promises to come up with a 
> definite conclusion for *any* operating system; what it promises is to “test” 
> or “investigate”.  I think that is certainly something we should be able to 
> promise to do. 

I agree, but I had got the impression that this was too little / weak
for Ian.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

> On Jan 24, 2017, at 3:08 PM, Jan Beulich <JBeulich@suse.com> wrote:
> 
>>>> On 24.01.17 at 16:01, <George.Dunlap@citrix.com> wrote:
> 
>>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@suse.com> wrote:
>>> 
>>>>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
>>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
>> security 
>>>> policy about what constitutes a vulnerability"):
>>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>>> the vulnerability of supported Windows versions, and it may also do so
>>>>> for some other proprietary operating systems."
>>>> 
>>>> I don't think we can promise to come up with a definitely conclusion
>>>> for any proprietary system, can we ?  Answering such a question for
>>>> Windows is not within our power because we don't have the source code.
>>> 
>>> Well - see George's original mail, which the above was a reply to.
>>> He has suggested that there's enough knowledge around.
>>> 
>>>> The question, which the above text leaves unclear, is, what do we do
>>>> if we aren't sure whether there are configurations of Windows which
>>>> have the exposed behaviour.
>>> 
>>> I think I had given my opinion on this in an earlier mail: If in doubt,
>>> we ought to issue an advisory.
>> 
>> And my response (in not so many words) was that the statement, “If in doubt 
>> we ought to issue an advisory” is too black-and-white, and (it seems to me) 
>> will probably always result in an advisory being issued; thus making the 
>> whole discussion moot.  
>> 
>> But perhaps we’re using the word “doubt” a bit differently.  In the case of 
>> XSA-176 and 192, for instance, would you have said that we had any doubts 
>> about whether Windows was vulnerable?
> 
> For 192 - no. For 176 I wouldn't be that sure.

I guess it’s not really a fair question, as we didn’t really spend a lot of time investigating Windows because we were going to issue the advisory anyway.

I think under the above rule, for XSA-176, I think we would either want to have an answer from someone in MS, or we’d instrument a version of Xen to look for the PSE bit in L3 and L4 pagetables and run it through our regression test.  If there was no evidence of any of our tested versions of Windows setting the L4 PSE bit, or setting the L3 bit when 1G superpages were not advertized, I would be comfortable not issuing an advisory.  

On the other hand, if we really had no idea — we had no test to perform and we hadn’t been able to contact anyone from within MS, and it seemed like Windows might plausibly be vulnerable, then I would agree that issuing an advisory would make sense.

What do you think?

But I’m not immediately sure how to put such a guideline into words.

 -George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 24.01.17 at 17:33, <George.Dunlap@citrix.com> wrote:
>> On Jan 24, 2017, at 3:08 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>> On 24.01.17 at 16:01, <George.Dunlap@citrix.com> wrote:
>>>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@suse.com> wrote:
>>>>>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
>>>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen 
>>> security 
>>>>> policy about what constitutes a vulnerability"):
>>>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>>>> the vulnerability of supported Windows versions, and it may also do so
>>>>>> for some other proprietary operating systems."
>>>>> 
>>>>> I don't think we can promise to come up with a definitely conclusion
>>>>> for any proprietary system, can we ?  Answering such a question for
>>>>> Windows is not within our power because we don't have the source code.
>>>> 
>>>> Well - see George's original mail, which the above was a reply to.
>>>> He has suggested that there's enough knowledge around.
>>>> 
>>>>> The question, which the above text leaves unclear, is, what do we do
>>>>> if we aren't sure whether there are configurations of Windows which
>>>>> have the exposed behaviour.
>>>> 
>>>> I think I had given my opinion on this in an earlier mail: If in doubt,
>>>> we ought to issue an advisory.
>>> 
>>> And my response (in not so many words) was that the statement, “If in doubt 
>>> we ought to issue an advisory” is too black-and-white, and (it seems to me) 
>>> will probably always result in an advisory being issued; thus making the 
>>> whole discussion moot.  
>>> 
>>> But perhaps we’re using the word “doubt” a bit differently.  In the case of 
>>> XSA-176 and 192, for instance, would you have said that we had any doubts 
>>> about whether Windows was vulnerable?
>> 
>> For 192 - no. For 176 I wouldn't be that sure.
> 
> I guess it’s not really a fair question, as we didn’t really spend a lot of 
> time investigating Windows because we were going to issue the advisory 
> anyway.
> 
> I think under the above rule, for XSA-176, I think we would either want to 
> have an answer from someone in MS, or we’d instrument a version of Xen to 
> look for the PSE bit in L3 and L4 pagetables and run it through our 
> regression test.  If there was no evidence of any of our tested versions of 
> Windows setting the L4 PSE bit, or setting the L3 bit when 1G superpages were 
> not advertized, I would be comfortable not issuing an advisory.  
> 
> On the other hand, if we really had no idea — we had no test to perform and 
> we hadn’t been able to contact anyone from within MS, and it seemed like 
> Windows might plausibly be vulnerable, then I would agree that issuing an 
> advisory would make sense.
> 
> What do you think?

Sounds all reasonable.

> But I’m not immediately sure how to put such a guideline into words.

Same here; all I really would like to avoid is for Windows (as
presumably the most relevant closed source OS we care
virtualizing) to be completely left out of the picture here.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[George Dunlap]

On Wed, Jan 25, 2017 at 8:40 AM, Jan Beulich <JBeulich@suse.com> wrote:
>>>> On 24.01.17 at 17:33, <George.Dunlap@citrix.com> wrote:
>>> On Jan 24, 2017, at 3:08 PM, Jan Beulich <JBeulich@suse.com> wrote:
>>>>>> On 24.01.17 at 16:01, <George.Dunlap@citrix.com> wrote:
>>>>> On Jan 24, 2017, at 11:43 AM, Jan Beulich <jbeulich@suse.com> wrote:
>>>>>>>> On 24.01.17 at 12:33, <ian.jackson@eu.citrix.com> wrote:
>>>>>> Jan Beulich writes ("Re: [Xen-devel] RFC: Adding a section to the Xen
>>>> security
>>>>>> policy about what constitutes a vulnerability"):
>>>>>>> "If a bug requires a vulnerable operating system to be exploitable, the
>>>>>>> Xen Security Team will pro-actively investigate the vulnerability of
>>>>>>> the following open-source operating systems: Linux, OpenBSD, FreeBSD,
>>>>>>> and NetBSD.  The security team will also test or otherwise investigate
>>>>>>> the vulnerability of supported Windows versions, and it may also do so
>>>>>>> for some other proprietary operating systems."
>>>>>>
>>>>>> I don't think we can promise to come up with a definitely conclusion
>>>>>> for any proprietary system, can we ?  Answering such a question for
>>>>>> Windows is not within our power because we don't have the source code.
>>>>>
>>>>> Well - see George's original mail, which the above was a reply to.
>>>>> He has suggested that there's enough knowledge around.
>>>>>
>>>>>> The question, which the above text leaves unclear, is, what do we do
>>>>>> if we aren't sure whether there are configurations of Windows which
>>>>>> have the exposed behaviour.
>>>>>
>>>>> I think I had given my opinion on this in an earlier mail: If in doubt,
>>>>> we ought to issue an advisory.
>>>>
>>>> And my response (in not so many words) was that the statement, “If in doubt
>>>> we ought to issue an advisory” is too black-and-white, and (it seems to me)
>>>> will probably always result in an advisory being issued; thus making the
>>>> whole discussion moot.
>>>>
>>>> But perhaps we’re using the word “doubt” a bit differently.  In the case of
>>>> XSA-176 and 192, for instance, would you have said that we had any doubts
>>>> about whether Windows was vulnerable?
>>>
>>> For 192 - no. For 176 I wouldn't be that sure.
>>
>> I guess it’s not really a fair question, as we didn’t really spend a lot of
>> time investigating Windows because we were going to issue the advisory
>> anyway.
>>
>> I think under the above rule, for XSA-176, I think we would either want to
>> have an answer from someone in MS, or we’d instrument a version of Xen to
>> look for the PSE bit in L3 and L4 pagetables and run it through our
>> regression test.  If there was no evidence of any of our tested versions of
>> Windows setting the L4 PSE bit, or setting the L3 bit when 1G superpages were
>> not advertized, I would be comfortable not issuing an advisory.
>>
>> On the other hand, if we really had no idea — we had no test to perform and
>> we hadn’t been able to contact anyone from within MS, and it seemed like
>> Windows might plausibly be vulnerable, then I would agree that issuing an
>> advisory would make sense.
>>
>> What do you think?
>
> Sounds all reasonable.
>
>> But I’m not immediately sure how to put such a guideline into words.
>
> Same here; all I really would like to avoid is for Windows (as
> presumably the most relevant closed source OS we care
> virtualizing) to be completely left out of the picture here.

OK, I've rewritten the section thus:

---

4. The security team will only issue an advisory if there is a known
combination of software in which the vulnerability can be exploited.

In most cases, the software which contains the bug is also the target
of the attack: that is, a bug in Xen allows an unprivileged user to
crash Xen, a bug in QEMU allows an unprivileged user to escalate its
privileges to that of the QEMU process.  In these cases "using Xen" or
"using QEMU" imples "being vunlerable".  But this is not always so:
for instance, a bug in the Xen instruction emulator might allow a
guest user to attack the guest kernel, *if* the guest kernel behaves
in a certain way, but not if it behaves in other ways.

In such a case, the Xen Security Team will pro-actively investigate
the vulnerability of the following open-source operating systems:
Linux, OpenBSD, FreeBSD, and NetBSD.  The security team will also make
an effort to investigate the vulnerability of Microsoft Windows.  If
we are reasonably certain that none of these operating systems are
vulnerable, and there are no other operating systems known to be
vulnerable, then no advisory will be issued.

(An example of this scenario is XSA-176: There was a bug in the
handling of the pagetable PS bits for L3 and L4; but no known
operating systems were vulnerable to an exploit as a result of the
bug.  Under these guidelines, XSA-176 would not have been issued.)

---

Essentially, the promise is that we will investigate Windows (along
with others), and issue an advisory unless we are "reasonably certain"
that none of them are vulnerable.

If there are no objections to this I'll write up a second version and
put it in a blog post in a few days here to make sure it gets broader
visibility within the community.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: RFC: Adding a section to the Xen security policy about what constitutes a vulnerability

[Jan Beulich]

>>> On 31.01.17 at 16:11, <george.dunlap@citrix.com> wrote:
> OK, I've rewritten the section thus:
> 
> ---
> 
> 4. The security team will only issue an advisory if there is a known
> combination of software in which the vulnerability can be exploited.
> 
> In most cases, the software which contains the bug is also the target
> of the attack: that is, a bug in Xen allows an unprivileged user to
> crash Xen, a bug in QEMU allows an unprivileged user to escalate its
> privileges to that of the QEMU process.  In these cases "using Xen" or
> "using QEMU" imples "being vunlerable".  But this is not always so:
> for instance, a bug in the Xen instruction emulator might allow a
> guest user to attack the guest kernel, *if* the guest kernel behaves
> in a certain way, but not if it behaves in other ways.
> 
> In such a case, the Xen Security Team will pro-actively investigate
> the vulnerability of the following open-source operating systems:
> Linux, OpenBSD, FreeBSD, and NetBSD.  The security team will also make
> an effort to investigate the vulnerability of Microsoft Windows.  If
> we are reasonably certain that none of these operating systems are
> vulnerable, and there are no other operating systems known to be
> vulnerable, then no advisory will be issued.
> 
> (An example of this scenario is XSA-176: There was a bug in the
> handling of the pagetable PS bits for L3 and L4; but no known
> operating systems were vulnerable to an exploit as a result of the
> bug.  Under these guidelines, XSA-176 would not have been issued.)
> 
> ---
> 
> Essentially, the promise is that we will investigate Windows (along
> with others), and issue an advisory unless we are "reasonably certain"
> that none of them are vulnerable.
> 
> If there are no objections to this I'll write up a second version and
> put it in a blog post in a few days here to make sure it gets broader
> visibility within the community.

Thanks, looks good to me now.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel