Re: Xen Security Advisory 254 - Information leak via side effects of speculative execution

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Xen Security Advisory 254 - Information leak via side effects of speculative execution

George Dunlap-5
On 01/03/2018 10:30 PM, Xen.org security team wrote:

> VULNERABLE SYSTEMS
> ==================
>
> Systems running all versions of Xen are affected.
>
> For SP1 and SP2, both Intel and AMD are vulnerable.
>
> For SP3, only Intel processors are vulnerable. Furthermore, only
> 64-bit PV guests can exploit SP3 against Xen.  PVH and 32-bit PV
> guests cannot exploit SP3.
>
> We believe that ARM is affected, but unfortunately due to the
> accelerated schedule, we haven't been able to get concrete input from
> ARM.  We are asking ARM and will publish more information when it is
> available.

There was a question about devicemodel stub domains.  Devicemodel stub
domains run in PV mode, so is it still safer to run device models in a
stub domain than in domain 0?

The short answer is, yes, it is still safer to run stub domains than
otherwise.

If an attacker can gain control of the device model running in a stub
domain, it can indeed attempt to use these processor vulnerabilities to
read information from Xen.

However, if an attacker can gain control of a device model running in
domain 0 without deprivileging, the attacker can gain control of the
entire system.  Even with qemu deprivileging, the qemu process may be
able to execute speculative execution attacks against the hypervisor.

So although XSA-254 does affect device model stub domains, they are
still safer than not running with a stub domain.

 -George

_______________________________________________
Xen-users mailing list
[hidden email]
https://lists.xenproject.org/mailman/listinfo/xen-users