From: "Roger Pau Monné" <royger@gmail.com>
To: Tamas K Lengyel <tamas@tklengyel.com>
Cc: "Julien Grall" <julien.grall@arm.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Wei Liu" <wei.liu2@citrix.com>,
"Razvan Cojocaru" <rcojocaru@bitdefender.com>,
"Ross Philipson" <ross.philipson@gmail.com>,
"Jason Andryuk" <jandryuk@gmail.com>,
"Daniel Smith" <dpsmith@apertussolutions.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Konrad Rzeszutek Wilk" <konrad.wilk@oracle.com>,
"Tim Deegan" <tim@xen.org>,
"Christopher Clark" <christopher.w.clark@gmail.com>,
"James McKenzie" <voreekf@madingley.org>,
"George Dunlap" <George.Dunlap@eu.citrix.com>,
"Rich Persaud" <persaur@gmail.com>,
"Paul Durrant" <paul.durrant@citrix.com>,
"Jan Beulich" <JBeulich@suse.com>,
"eric chanudet" <eric.chanudet@gmail.com>,
xen-devel <xen-devel@lists.xenproject.org>,
"Ian Jackson" <Ian.Jackson@eu.citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>
Subject: Re: [PATCH 13/25] argo: implement the register op
Date: Wed, 9 Jan 2019 17:59:52 +0100 [thread overview]
Message-ID: <CAPLaKK68W40=rZhAQKugQfZbhv7dtouJiX7=aLKBGrz9tpT-ag@mail.gmail.com> (raw)
In-Reply-To: <CABfawhnA1-7DjCQTY_7Ddy32nB4wDQZV35oSm567kt+tmnDkCQ@mail.gmail.com>
On Wed, Jan 9, 2019 at 5:51 PM Tamas K Lengyel <tamas@tklengyel.com> wrote:
>
> On Wed, Jan 9, 2019 at 9:48 AM Razvan Cojocaru
> <rcojocaru@bitdefender.com> wrote:
> >
> > On 1/9/19 6:34 PM, Roger Pau Monné wrote:
> > >>>>> Maybe this is use-case is different, but how does introspection handle
> > >>>>> accesses to the shared info page or the runstate info for example?
> > >>>>>
> > >>>>> I would consider argo to be the same in this regard.
> > >>>>
> > >>>> Not exactly: The shared info page is special in any event. For
> > >>>> runstate info (and alike - there's also struct vcpu_time_info)
> > >>>> I'd question correctness of the current handling. If that's
> > >>>> wrong already, I'd prefer if the issue wasn't spread.
> > >>>
> > >>> There are also grants, which when used together with another guest on
> > >>> the same host could allow to bypass introspection AFAICT? (unless
> > >>> there's some policy applied that limit grant sharing to trusted
> > >>> domains)
> > >>>
> > >>> TBH I'm not sure how to handle hypoervisor accesses with
> > >>> introspection. My knowledge of introspection is fairly limited, but
> > >>> it pauses the guest and sends a notification to an in guest agent. I'm
> > >>> not sure this is applicable to hypervisor writes, since it's not
> > >>> possible to pause hypervisor execution and wait for a response from a
> > >>> guest agent.
> > >>>
> > >>
> > >> Introspection applications only care about memory accesses performed
> > >> by the guest. Hypervisor accesses to monitored pages are not included
> > >> when monitoring - it is actually a feature when using the emulator in
> > >> Xen to continue guest execution because the hypervisor ignores EPT
> > >> memory permissions that trip the guest for introspection. So having
> > >> the hypervisor access memory or a grant-shared page being accessed in
> > >> another domain are not a problem for introspection.
> > >
> > > Can't then two guests running on the same host be able to completely
> > > bypass introspection? I guess you prevent this by limiting to which
> > > guests pages can be shared?
> >
> > Would these two guests be HVM guests? Introspection only works for HVM
> > guests. I'm not sure I follow your scenario though. How would these
> > guests collaborate to escape introspection via grants?
>
> If there are two domains acting maliciously in concert to bypass
> monitoring of memory writes they could achieve that with grants, yes.
> Say a write-monitored page is grant-shared to another domain, which
> then does the write on behalf of the first. I wouldn't say that's
> "completely bypassing introspection" though, there are many types of
> events that can be monitored, write-accesses are only one. I'm not
> aware of any mechanism that can be used to limit which pages can be
> shared but you can use XSM to restrict which domains can share pages
> to begin with. That's normally enough.
Yes, I assumed that would be the way to protect against such attacks,
ie: limiting to which guests pages can be shared. I think just making
sure the right access checks are placed in XSM (just like they are for
grants) should be enough.
Thanks, Roger.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-01-09 17:00 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-01 1:32 [PATCH 00/25] Argo: hypervisor-mediated interdomain communication Christopher Clark
2018-12-01 1:32 ` [PATCH 01/25] xen/evtchn: expose evtchn_bind_ipi_vcpu0_domain for use within Xen Christopher Clark
2018-12-03 16:20 ` Jan Beulich
2018-12-04 9:17 ` Christopher Clark
2018-12-01 1:32 ` [PATCH 02/25] argo: Introduce the Kconfig option to govern inclusion of Argo Christopher Clark
2018-12-03 15:51 ` Jan Beulich
2018-12-04 9:12 ` Christopher Clark
2018-12-01 1:32 ` [PATCH 03/25] argo: introduce the argo_message_op hypercall boilerplate Christopher Clark
2018-12-04 9:44 ` Paul Durrant
2018-12-20 5:13 ` Christopher Clark
2018-12-01 1:32 ` [PATCH 04/25] argo: define argo_dprintk for subsystem debugging Christopher Clark
2018-12-03 15:59 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 05/25] argo: Add initial argo_init and argo_destroy Christopher Clark
2018-12-04 9:12 ` Paul Durrant
2018-12-13 13:16 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 06/25] argo: Xen command line parameter 'argo': bool to enable/disable Christopher Clark
2018-12-04 9:18 ` Paul Durrant
2018-12-04 11:35 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 07/25] xen (ARM, x86): add errno-returning functions for copy Christopher Clark
2018-12-04 9:35 ` Paul Durrant
2018-12-12 16:01 ` Roger Pau Monné
2018-12-20 5:16 ` Christopher Clark
2018-12-20 8:45 ` Jan Beulich
2018-12-20 12:57 ` Roger Pau Monné
2018-12-01 1:32 ` [PATCH 08/25] xen: define XEN_GUEST_HANDLE_NULL as null XEN_GUEST_HANDLE Christopher Clark
2018-12-04 11:39 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 09/25] errno: add POSIX error codes EMSGSIZE, ECONNREFUSED to the ABI Christopher Clark
2018-12-03 15:42 ` Jan Beulich
2018-12-04 9:10 ` Christopher Clark
2018-12-04 10:04 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 10/25] arm: introduce guest_handle_for_field() Christopher Clark
2018-12-04 9:46 ` Paul Durrant
2018-12-01 1:32 ` [PATCH 11/25] xsm, argo: XSM control for argo register operation, argo_mac bootparam Christopher Clark
2018-12-04 9:52 ` Paul Durrant
2018-12-20 5:19 ` Christopher Clark
2018-12-01 1:32 ` [PATCH 12/25] xsm, argo: XSM control for argo message send operation Christopher Clark
2018-12-04 9:53 ` Paul Durrant
2018-12-01 1:32 ` [PATCH 13/25] argo: implement the register op Christopher Clark
2018-12-02 20:10 ` Julien Grall
2018-12-04 9:08 ` Christopher Clark
2018-12-05 17:20 ` Julien Grall
2018-12-05 22:35 ` Christopher Clark
2018-12-11 13:51 ` Julien Grall
2018-12-04 10:57 ` Paul Durrant
2018-12-12 9:48 ` Jan Beulich
2018-12-20 5:29 ` Christopher Clark
2018-12-20 8:29 ` Jan Beulich
2018-12-21 1:25 ` Christopher Clark
2018-12-21 7:28 ` Jan Beulich
2018-12-21 8:16 ` Christopher Clark
2018-12-21 8:53 ` Jan Beulich
2018-12-21 23:28 ` Christopher Clark
2018-12-12 16:47 ` Roger Pau Monné
2018-12-20 5:41 ` Christopher Clark
2018-12-20 8:51 ` Jan Beulich
2018-12-20 12:52 ` Roger Pau Monné
2018-12-21 23:05 ` Christopher Clark
2019-01-04 8:57 ` Roger Pau Monné
2019-01-04 13:22 ` Jan Beulich
2019-01-04 15:35 ` Roger Pau Monné
2019-01-04 15:47 ` Jan Beulich
2019-01-07 9:00 ` Roger Pau Monné
2019-01-09 16:15 ` Tamas K Lengyel
2019-01-09 16:23 ` Razvan Cojocaru
2019-01-09 16:34 ` Roger Pau Monné
2019-01-09 16:48 ` Razvan Cojocaru
2019-01-09 16:50 ` Tamas K Lengyel
2019-01-09 16:59 ` Roger Pau Monné [this message]
2019-01-09 17:03 ` Fwd: " Roger Pau Monné
2019-01-09 17:03 ` Razvan Cojocaru
2018-12-01 1:32 ` [PATCH 14/25] argo: implement the unregister op Christopher Clark
2018-12-04 11:10 ` Paul Durrant
2018-12-12 9:51 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 15/25] argo: implement the sendv op Christopher Clark
2018-12-04 11:22 ` Paul Durrant
2018-12-12 11:52 ` Jan Beulich
2018-12-20 5:58 ` Christopher Clark
2018-12-20 8:33 ` Jan Beulich
2019-01-04 8:13 ` Christopher Clark
2019-01-04 8:43 ` Roger Pau Monné
2019-01-04 13:37 ` Jan Beulich
2019-01-07 20:54 ` Christopher Clark
2018-12-01 1:32 ` [PATCH 16/25] argo: implement the notify op Christopher Clark
2018-12-13 14:06 ` Jan Beulich
2018-12-20 6:12 ` Christopher Clark
2018-12-20 8:39 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 17/25] xsm, argo: XSM control for any access to argo by a domain Christopher Clark
2018-12-01 1:32 ` [PATCH 18/25] argo: limit the max number of rings that a domain may register Christopher Clark
2018-12-13 14:08 ` Jan Beulich
2018-12-01 1:32 ` [PATCH 19/25] argo: limit the max number of notify requests in a single operation Christopher Clark
2018-12-01 1:32 ` [PATCH 20/25] argo, xsm: notify: don't describe rings that cannot be sent to Christopher Clark
2018-12-01 1:33 ` [PATCH 21/25] argo: add array_index_nospec to guard the result of the hash func Christopher Clark
2018-12-13 14:10 ` Jan Beulich
2018-12-01 1:33 ` [PATCH 22/25] xen/evtchn: expose send_guest_global_virq for use within Xen Christopher Clark
2018-12-13 14:12 ` Jan Beulich
2018-12-01 1:33 ` [PATCH 23/25] argo: signal x86 HVM and ARM via VIRQ Christopher Clark
2018-12-02 19:55 ` Julien Grall
2018-12-04 9:03 ` Christopher Clark
2018-12-04 9:16 ` Paul Durrant
2018-12-12 14:49 ` James
2018-12-11 14:15 ` Julien Grall
2018-12-13 14:16 ` Jan Beulich
2018-12-20 6:20 ` Christopher Clark
2018-12-01 1:33 ` [PATCH 24/25] argo: unmap rings on suspend and send signal to ring-owners on resume Christopher Clark
2018-12-13 14:26 ` Jan Beulich
2018-12-20 6:25 ` Christopher Clark
2018-12-01 1:33 ` [PATCH 25/25] argo: implement the get_config op to query notification config Christopher Clark
2018-12-13 14:32 ` Jan Beulich
2018-12-03 16:49 ` [PATCH 00/25] Argo: hypervisor-mediated interdomain communication Chris Patterson
2018-12-04 9:00 ` Christopher Clark
2018-12-11 22:13 ` Chris Patterson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPLaKK68W40=rZhAQKugQfZbhv7dtouJiX7=aLKBGrz9tpT-ag@mail.gmail.com' \
--to=royger@gmail.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=christopher.w.clark@gmail.com \
--cc=dpsmith@apertussolutions.com \
--cc=eric.chanudet@gmail.com \
--cc=jandryuk@gmail.com \
--cc=julien.grall@arm.com \
--cc=konrad.wilk@oracle.com \
--cc=paul.durrant@citrix.com \
--cc=persaur@gmail.com \
--cc=rcojocaru@bitdefender.com \
--cc=roger.pau@citrix.com \
--cc=ross.philipson@gmail.com \
--cc=sstabellini@kernel.org \
--cc=tamas@tklengyel.com \
--cc=tim@xen.org \
--cc=voreekf@madingley.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).