none (yet) assigned



Disaggregated domain management security status

Xen supports disaggregation of various support and management functions into their own domains; this is often done for security and robustness reasons.

In Xen 4.3 additional functionality was introduced to allow further disaggregation: the Xen Security Modules mechanism was enhanced to make it possible to delegate various domain control hypercalls to particular other domains, rather than only permitting use by dom0.

However the several affected hypercall implementations were originally written to be used only by the totally-privileged dom0, and have not been reviewed for security when exposed to supposedly-only-semi-privileged disaggregated management domains. But such management domains are (in such a design) to be seen as potentially hostile, e.g. due to privilege escalation following exploitation of a bug in the management domain.

The affected hypercalls are:

The majority of the domctls are subject to this issue. Prior to 4.3, only the following domctls were disaggregatable, and they are NOT affected by these problems:

The implementations of these were written with semi-trusted callers in mind.

Only the following memory op subops are affected:

The remainder of the memory ops were written with untrusted or semi-trusted callers in mind.

现在Xen支持将不同hypercall的处理disaggregate到不同的management domain(而不是原来唯一的domain 0)。但是在这个设计中有些之前写好的hypercall只支持运行在totally-privileged dom0,而不能被运行在semi-privileged disaggragated management domain(否则会有privilege escalation的危险)。以上列举了相应的hypercall。

design error



ist interfaces subject to the security process exception in XSA-77

It is expected that these lists will be whittled away as each interface is audited for safety.



Domains deliberately given partial management control may be able to deny service to the entire host or even escalate their privileges.

DoS, privilege escalation