Grsecurity and Virtualization
Posted: Sun May 17, 2015 5:25 pm
Hi Spender. In light of VENOM and your interesting comments on the limits of QEMU sandboxing I wanted to ask a few questions.
1) What is the most secure opensource hypervisor to use today? Its a loaded question so let me break it down further and explain. Isn't the KVM approach to moving as much emulation as possible into QEMU userspace preferable to the Xen pure PV approach of having device backends in the privileged VMM kernel? The reasoning is that at least with QEMU, exploit mitigation measures in userspace can make things harder even if a hole is found, while an exploit in Xen's VMM kernel with its many baked-in emulators ends the game?
http://www.gossamer-threads.com/lists/x ... 492#347492
http://xenbits.xen.org/xsa/advisory-105.html
CVE numbers suggest that Xen is no panacea when compared to QEMU-KVM.
http://www.cvedetails.com/vendor/6276/XEN.html
http://www.cvedetails.com/product/19922 ... ndor_id=25
http://www.cvedetails.com/vendor/7506/Qemu.html
2) Can Grsecurity on the host be used to harden QEMU-KVM and prevent any successful exploitation of the BO that is VENOM? This comment on the KVM mailing list suggests that KVM's design can't benefit from Grsecurity's protection.
3) If QEMU is successfully exploited, will Grsecurity be able to limit the resources available to an attacker compared to the lacking seccomp sandbox you mention? How much harder will it be to take over the host?
4) What is a foolproof security design to make virtualization safe in your opinion and is it something Grsecurity can do or have added?
Off-topic but will mainlining of your patches ever happen?
1) What is the most secure opensource hypervisor to use today? Its a loaded question so let me break it down further and explain. Isn't the KVM approach to moving as much emulation as possible into QEMU userspace preferable to the Xen pure PV approach of having device backends in the privileged VMM kernel? The reasoning is that at least with QEMU, exploit mitigation measures in userspace can make things harder even if a hole is found, while an exploit in Xen's VMM kernel with its many baked-in emulators ends the game?
http://www.gossamer-threads.com/lists/x ... 492#347492
http://xenbits.xen.org/xsa/advisory-105.html
CVE numbers suggest that Xen is no panacea when compared to QEMU-KVM.
http://www.cvedetails.com/vendor/6276/XEN.html
http://www.cvedetails.com/product/19922 ... ndor_id=25
http://www.cvedetails.com/vendor/7506/Qemu.html
2) Can Grsecurity on the host be used to harden QEMU-KVM and prevent any successful exploitation of the BO that is VENOM? This comment on the KVM mailing list suggests that KVM's design can't benefit from Grsecurity's protection.
3) If QEMU is successfully exploited, will Grsecurity be able to limit the resources available to an attacker compared to the lacking seccomp sandbox you mention? How much harder will it be to take over the host?
4) What is a foolproof security design to make virtualization safe in your opinion and is it something Grsecurity can do or have added?
Off-topic but will mainlining of your patches ever happen?