[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Rust-VMM] Requirements for out-of-process device emulation
|
From: |
Stefan Hajnoczi |
|
Subject: |
Re: [Rust-VMM] Requirements for out-of-process device emulation |
|
Date: |
Wed, 11 Nov 2020 11:17:46 +0000 |
On Mon, Oct 12, 2020 at 06:16:18PM +0100, Alex Bennée wrote:
> Stefan Hajnoczi <stefanha@redhat.com> writes:
> > Security
> > --------
> > The trust model
> > ```````````````
> > The VMM must not trust the device emulation program. This is key to
> > implementing privilege separation and the principle of least privilege.
> > If a compromised device emulation program is able to gain control of the
> > VMM then out-of-process device emulation has failed to provide isolation
> > between devices.
> >
> > The device emulation program must not trust the VMM to the extent that
> > this is possible. For example, it must validate inputs so that the VMM
> > cannot gain control of the device emulation process through memory
> > corruptions or other bugs. This makes it so that even if the VMM has
> > been compromised, access to device resources and associated system calls
> > still requires further compromising the device emulation process.
>
> However in this model the guest intrinsically trusts device emulation
> because it currently has full access to the guest's address space. It
> would probably be worth making that explicit.
>
> There are security models where the guest doesn't need to trust the VMM
> or particular device emulations.
Where do you see that assumption in the text?
BTW, shared guest memory access is optional in vhost-user. The protocol
allows the VMM to handle DMA accesses instead of granting the device
access to guest memory.
Stefan
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Rust-VMM] Requirements for out-of-process device emulation,
Stefan Hajnoczi <=