> How secure are Xen guests and hosts if a guest is compromised?
>
> Does the compromise of a guest be as a gateway to compromise both
> hosts and other guests?
dom0 (analogous to the "host" in other systems) must be protected by all 
reasonable means as it is able to compromise any other domain running on the 
system. This is also true for a domain which is given direct PCI hardware 
access e.g. to a network card (this is not the normal usecase). This is 
similar to protecting your root account or the administration terminal for 
essential network services.
The compromise (e.g. somebody escalating to root access) of an unprivileged 
domain should have no effect on the security of the rest of the system. 
Whilst it would give an attacker more scope to load malicious kernel modules 
in the guest in order to attack domain 0 and Xen, both of these are intended 
to be secure against this kind of attack.
The design intends that it is safe to deliberately give out root access to the 
owner of an unprivileged domain and to allow them to load customised kernels, 
etc. root compromise of a guest would be equivalent to this, and therefore 
should be isolated by design.
Cheers,
Mark
-- 
Dave: Just a question. What use is a unicyle with no seat? And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users