User: Password:
Subscribe / Log in / New account

Qubes: security by virtualization

Qubes: security by virtualization

Posted May 6, 2010 21:53 UTC (Thu) by PaXTeam (guest, #24616)
In reply to: Qubes: security by virtualization by spotter
Parent article: Qubes: security by virtualization

> we note that kernel exploits are a way to exploit the system (kernel becomes part of the TCB).

care to quote me that part from your paper? i was specifically looking for anything kernel bug/exploit related and found nothing, ditto for discussing what constitutes the TCB. whenever you mention exploit it's always in the context of application (userland) exploits, never the kernel.

> if your threat model has to deal with kernel exploits[...]

yours does, that's what i was trying to imply. there's nothing to prevent a userland exploit from going after a kernel bug next. in other words, your system wouldn't survive for long in the real world, quite the contrary to your claims ;).

(Log in to post comments)

Qubes: security by virtualization

Posted May 6, 2010 23:28 UTC (Thu) by spotter (subscriber, #12199) [Link]

I don't disagree, if I were to attack my system, I'd go after kernel bugs. but that's an attack against many systems, including much more complicated systems like SELinux. in my system there are ways to mitigate that problem (leverage a combination of OS containers and VMs, perhaps use VMs for persistent containers, and have a set of VMs to store a larger set of ephemeral containers), but won't perfectly solve it and will also increase overhead (and as we note at least in the final draft, ease of use and good security are always in tension)

It's actually not in that old tech report, nor in the final version being submitted to USENIX due to space constraints, but was in intermediate versions and has always been in the talks I've given on it, where I basically stated up front that we were concerned about exploits like the run of PDF exploits, but if you are concerned about the kernel being exploited as well that would need a different container approach being container's don't provide isolated kernels.

so I'll agree with

Qubes: security by virtualization

Posted May 6, 2010 23:29 UTC (Thu) by spotter (subscriber, #12199) [Link]

"so I'll agree with" you on that point

Qubes: security by virtualization

Posted May 7, 2010 4:49 UTC (Fri) by spotter (subscriber, #12199) [Link]

oh and to answer your question, don't see this in the tech report version (and the last sentence is probably going to be excised from version being published in USENIX due to space), but in the version that was in my dissertation, I included this text

"While VMs provide superior isolation, they suffer higher overhead due to running independent operating systems. This impacts performance and makes them less suited for ephemeral usage on account of their long startup times. However, Apiary can leverage them if one does not want to trust a single operating system kernel."

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds