On 25/03/2022 22:42, Chris Cappuccio wrote: > Demi Marie Obenour [d...@invisiblethingslab.com] wrote: >> Linux???s netfront and blkfront drivers recently had a security >> vulnerability (XSA-396) that allowed a malicious backend to potentially >> compromise them. In follow-up audits, I found that OpenBSD???s xnf(4) >> currently trusts the backend domain. I reported this privately to Theo >> de Raadt, who indicated that OpenBSD does not consider this to be a >> security concern. >> > A malicious backend could completely compromise the virtual host in an > infinite number of ways.
Xen PV front/back pairs have had far better security properties/guarantees for longer than virtio has existed. Under the Xen architecture, the backend has never had the ability to "DMA" to areas which aren't explicitly permitted by the frontend. If a frontend handles it's grants correctly, then it need only trust Xen but not the backend for any problems beyond "backend refuses to transmit data". The backend can of course cease transmitting data. That's mitigated with market pressures of "OK I'll take my credit card elsewhere". Data integrity issues can be mitigated by using encryption techniques. With the advent of encrypted VM technologies (AMD SEV-SNP, Intel TXT) the VM need not trust Xen any further than "will continue to schedule you" which equally is mitigated with market pressures related to money. ~Andrew
