[HCoop-Discuss] Our ideal architecture?

Daniel Margolis dan at af0.net
Wed Jun 3 12:41:00 EDT 2009 

It's not clear to me what security benefits are conferred by OpenVZ over,
say, App Armor. As a jailing mechanism, OpenVZ seems useful, but it looks to
me (and I should say that I've not been paying much attention to Linux for a
few years now, so this is kind of a wild-ass guess) that the attack surface
presented by  sharing a kernel instance is a lot greater than that presented
by sharing a Xen host.

Unless I'm missing something, I don't see how OpenVZ mitigates kernel level
code execution vulns--since the guest kernel is the same as the host kernel,
if I can run code in the kernel context on a guest, I've owned the host,
right? In comparison, with Xen, if a guest is doing something (e.g.
listening on an interface, using a particular filesystem, etc) that exposes
a bug that leads to code execution, since the guest kernel is only used for
that guest, the attacker is (in theory) contained. (And your host's job is
to *only* be the virtualization host, to minimize attack surface.) Only Xen
bugs allow the guest to attack the host or other guests.

Not that paravirtualization solutions (e.g. VMWare) haven't had guest->host
code execution bugs in the past, but they're fairly rare (e.g.
http://secunia.com/advisories/26986/).

Note, though, that I'm probably going to retire my HCoop membership in the
near future, so while perhaps the above is of technical relevance, don't
take it to be my vote one way or another.

On Wed, Jun 3, 2009 at 7:12 AM, Ron Senykoff <freat at hcoop.net> wrote:

> It seems that Xen offers greater flexibility by allowing any guest OS. Yet
> in a paravirtualization mode it offers extremely low overhead. So it seems
> to me a natural path is use Xen paravirtualization for all core servers, and
> have the benefit of greater flexibility should we need it down the road.
> After all, one thing I dig about open source software is having choices.
> With Xen we don't sacrifice choice of OS.
>
> -Ron
>
>
> _______________________________________________
> HCoop-Discuss mailing list
> HCoop-Discuss at lists.hcoop.net
> https://lists.hcoop.net/listinfo/hcoop-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20090603/57ad3c5a/attachment.htm

More information about the HCoop-Discuss mailing list