| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jul 2009 16:02:38 -0700 (PDT) From: Dan Magenheimer <dan.magenheimer@...cle.com> To: Jeremy Fitzhardinge <jeremy@...p.org> Cc: Pavel Machek <pavel@....cz>, linux-kernel@...r.kernel.org, xen-devel@...ts.xensource.com, npiggin@...e.de, chris.mason@...cle.com, kurt.hackel@...cle.com, dave.mccracken@...cle.com, Avi Kivity <avi@...hat.com>, Rik van Riel <riel@...hat.com>, alan@...rguk.ukuu.org.uk, Rusty Russell <rusty@...tcorp.com.au>, Martin Schwidefsky <schwidefsky@...ibm.com>, akpm@...l.org, Marcelo Tosatti <mtosatti@...hat.com>, Balbir Singh <balbir@...ux.vnet.ibm.com>, tmem-devel@....oracle.com, sunil.mushran@...cle.com, linux-mm@...ck.org, Himanshu Raj <rhim@...rosoft.com>, Keir Fraser <keir.fraser@...citrix.com> Subject: RE: [RFC] transcendent memory for Linux > From: Jeremy Fitzhardinge [mailto:jeremy@...p.org] > On 06/30/09 14:21, Dan Magenheimer wrote: > > No, the uuid can't be verified. Tmem gives no indication > > as to whether a newly-created pool is already in use (shared) > > by another guest. So without both the 128-bit uuid and an > > already-in-use 64-bit object id and 32-bit page index, no data > > is readable or writable by the attacker. > > You have to consider things like timing attacks as well (for > example, a > tmem hypercall might return faster if the uuid already exists). > > Besides, you can tell whether a uuid exists, by at least a couple of > mechanisms (from a quick read of the source, so I might have > overlooked something): All of these still require a large number of guesses across a 128-bit space of possible uuids, right? It should be easy to implement "guess limits" in xen that disable tmem use by a guest if it fails too many guesses. I'm a bit more worried about: > You also have to consider the case of a domain which was once part of > the ocfs cluster, but now is not - it may still know the uuid, but not > be otherwise allowed to use the cluster. But on the other hand, the security model here can be that if a trusted entity becomes untrusted, you have to change the locks. > Yeah, a shared namespace of accessible objects is an entirely > new thing > in the Xen universe. I would also drop Xen support until > there's a good > security story about how they can be used. While I agree that the security is not bulletproof, I wonder if this position might be a bit extreme. Certainly, the NSA should not turn on tmem in a cluster, but that doesn't mean that nobody should be allowed to. I really suspect that there are less costly / more rewarding attack vectors at several layers in the hardware/software stack of most clusters. Dan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists