On 01/08/2014 11:08 AM, Anca Emanuel wrote: > No, until you demo something useful. Well, they have a large amount of stuff showing how they've demonstrated VM isolation under a paravirtualizing hypervisor to separate out security zones on a single system. X11 is in one VM, some user applications are in another VM, other user applications have their own VM...
That's not entirely "useful" unless: 1) the VMs are substantially isolated--having (write) access to network, disk, and files is basically un-isolated; and 2) You can't accomplish the same at the kernel level. If it were i.e. Minix, I'd say that a microkernel can easily apply its own security policies--essentially that's what Xen is, with full operating systems running as OS services; a uK would accomplish the same by having separate disk/FS/network services for different security domains. But we're not moving to Minix and we're not rewriting Linux as a microkernel; thus the concern of "what if you hacked the kernel?" is real. The other concern is just how isolated are multi-VMs? The only real advantage is a kernel exploit doesn't show you the full memory space of the operating system. I guess that means your browser that's doing banking has memory mapped to domBankStuff that's not accessible by the kernel in domUntrustedBrowsing at all. But as far as system compromise goes, what kind of write access do you have? Can you write files to /home, shared across domains? Or what? Do you have different /home directories? It's an interesting concept. The question, "Can we learn anything from this?" addresses the many questions starting with "Does this do anything useful?" and "How useful is that?" and then moving on to "Can we incorporate this and leverage it to any benefit?" There's a reason why I don't just show up drooling over the "isolation" and "security" that virtualization provides: it sure does provide that when running 4 different server OSes on one host, but you start reducing the benefits when you break down the isolation. Peoples' holy grail ideal of "we'll run a browser in this VM, and it can save files to your main home directory" is really pointless: if it can do that, why not just run it with all the other stuff? It obviously has compromising access to your stuff. So the question comes up: can we learn anything from this? Even if we inspect it and come out with just the realization that all the "Security" provided in this model is illusionary, that's something. I mean hell, even Microsoft created a bunch of chatter talking about how Vista was going to let you use Hyper-V to run some software in a "secure VM" instead of directly, on the same model. Sobering up to the realization that it's either A) a good idea or B) completely stupid and pointless would be enlightening. > On Wed, Jan 8, 2014 at 6:02 PM, John Moser <john.r.mo...@gmail.com> wrote: >> http://qubes-os.org/trac/wiki/QubesArchitecture >> >> This looks interesting. Can we learn anything from this? >> >> -- >> Ubuntu-devel-discuss mailing list >> Ubuntu-devel-discuss@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >> -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
