Xen

Xen 3.3.0 Available For Download

August 25, 2008 by Robin Wauters 1 Comment

A recent post on the Xen blog featured a proposed data sheet (PDF) for the (back then upcoming) Xen 3.3 release, which we said was in final testing stage in the beginning of this month. Now Xen 3.3.0 is here and ready for download, as reported by Heise Online.

The new version is also available as part of a package with a 2.6.18 kernel version of Linux as the host system, also known as Domain 0 (Dom0). According to Xen developers, the number of supported guest operating systems has grown and there are improvements in performance, the ACPI power management modes, and security functions such as using PVGrub instead of PYGrub. Xen 3.3.0 also has fewer limitations on moving running virtual machines from one physical system to another. This function, necessary for redundant fail over configurations and practical for server maintenance, has previously only been usable when the processors (and chipsets) running on the physical machines involved supported very similar hardware virtualization functions.

0wning Xen … In More Detail

August 25, 2008 by Kris Buytaert Leave a Comment

Over at her own blog, Joanna Rutkowska from Invisible Things has some updates on their findings about Xen security as we earlier reported.

Joanna argues that most of the attacks presented indeed require that the attacker first gains access to the Dom0 before he can launch the attacks but that doesn’t take away the severeness of the issues.

Other rootkits also require for the attacker to first gain root access before he can hide his toolset from the eyes of the administrator.

She continues to argue that other attacks already provide people with potential access from DomU to Dom0 via a virtual machine escape bug

But even there the attacker first has to gain root in the DomU before he can potentially climb up to Dom0

Still there’s a significant difference in gaining (root) access, and hiding the fact that you got it. But indeed neither of both should be possible

DataSheet Proposal for Xen 3.3 Hypervisor Published

August 19, 2008 by Robin Wauters 1 Comment

Stephen Spector published a post yesterday on the Xen blog featuring a proposed data sheet (PDF) for the upcoming Xen 3.3 release, which we said was in final testing stage in the beginning of this month.

Update 26 August: Xen 3.3.0 is available for download.

The complete list of new features in Xen 3.3 includes:

Performance and Scalability

CPUID Levelling
Shadow 3 Page Table Optimizations
EPT/NPT 2MB Page Support
Virtual Framebuffer Support for HVM Guests
PVSCSI — SCSI Support for PV Guests
Full 16-bit Emulation on Intel VT
Support for memory overcommit allowing more VMs per physical machine for some workloads

Security

PVGRUB Secure Replacement for PYGRUB
IO Emulation “stub domains” for HVM IO
Green Computing
Enhanced C & P State Power Management
Graphics Support
VT-d Device Pass-Through Support

Miscellaneous

Upgrade QEMU Version
Multi-Queue Support for Modern NICs
Removal of Domain Lock for PV Guests
Message Signalled Interrupts
Greatly improved precision for time-sensitive SMP VMs

XenSource

IBM launches the open-ovf project

August 14, 2008 by Kris Buytaert Leave a Comment

Scott Moser from IBM’s Systems Technology Group has released the first version of the open-ovf project. OVF is a standard packaging format for virtual machines and software appliances. The open-ovf project is seeking contributors and users to help establish OVF as a transparent and platform-neutral method for packaging virtual machine images.

The goal of open-ovf is to be able to deploy a single OVF package to either Xen or KVM.
Eventually expanding that list to include VMware, Hyper-V, and other platforms. For that goal they are looking at community contributions. A good start might be the qemu-img tool that already knows how to convert between different formats.

The Distributed Management Task Force (DMTF) has defined a vendor-neutral standard for packaging virtual appliances enabling automated installation, configuration and activation of any virtualization platform. The Open Virtual Machine Format (OVF) specification describes an open, secure, portable, efficient and extensible format for packaging

For a summary of OVF and the open source project, see the presentation from the recent Xen summit
The open-ovf project is hosted on sourceforge and the source code is available from it’s git repository

Should VMWare Watch Out For VirtualBox?

August 14, 2008 by Kris Buytaert 1 Comment

Or for a lot more?

IT Wire has a good introductory article about VirtualBox.

Sadly their introduction is a bit wrong in the details, as VirtualBox obviously is not “the only professional virtualisation solution that is freely available as open source software under the GNU General Public License (GPL.) Why this matters is because it’s truly free, as in freedom.”

Amongst others Xen is also fully GPL, and given its backing from both Citrix and most of the major Linux vendors it’s also professionally supported.

Also it also isn’t the only one that can run unmodified guests , both KVM and Xen can do this, given the these days standard VT hardware support. VirtualBox however does not need VT support (and neither did Qemu).

However, it’s still a fairly good introduction and keeping these remarks in mind it’s a good read, and it shows that VMWare should watch its back, and not just for VirtualBox

0wning Xen?

August 11, 2008 by Kris Buytaert 1 Comment

InvisibleThings.org posted some more details on their Xen Owning Trilogy session at last weeks Black Hat conference in Las Vegas.

Joanna Rutkowska and her crew gave a series of 3 talks discussing different potential security issues with Xen. With the VirtSec awareness growing this obviously is an important topic .

When quickly skimming trough the presentations the big question that arise is , how relevant is this all for a day to day production environment. Given the fact that some exploits assume you already root before you can install a stealth backdoor and others rely on specific hardware features that might or might not be available in your setup things might be that critical yet.

All 3 talks can be found on the Invisiblethingslab.com site

Virtualization.com will have a closer look at the discussed issues and we’ll be back with more detail later.