Tag Archives: XSA-196

What You Need to Know about Recent Xen Project Security Advisories

Today the Xen Project announced eight security advisories: XSA-191 to XSA-198. The bulk of these security advisories were discovered and fixed during the hardening phase of the Xen Project Hypervisor 4.8 release (expected to come out in early December). The Xen Project has implemented a security-first approach when publishing new releases.

In order to increase the security of future releases, members of the Xen Project Security Team and key contributors to the Xen Project, actively search and fix security bugs in code areas where vulnerability were found in past releases. The contributors use techniques such as code inspections, static code analysis, and additional testing using fuzzers such as American Fuzzy Lop. These fixes are then backported to older Xen Project releases with security support and published in bulk to make it easier for downstreams consumers to apply security fixes.

Before we declare a new Xen Project feature as supported, we perform a security assessment (see declare the Credit2 scheduler as supported). In addition, the contributors focused on security have started crafting tests for each vulnerability and integrated them into our automated regression testing system run regularly on all maintained versions of Xen. This ensures that the patch will be applied to every version which is vulnerable, and also ensures that no bug is accidentally reintroduced as development continues to go forward.

The Xen Project’s mature and robust security response process is optimized for cloud environments and downstream Xen Project consumers to maximize fairness, effectiveness and transparency. This includes not publicly discussing any details with security implications during our embargo period. This encourages anyone to report bugs they find to the Xen Project Security team, and allows the Xen Project Security team to assess, respond, and prepare patches, before before public disclosure and broad compromise occurs.

During the embargo period, the Xen Project does not publicly discuss any details with security implications except:

  • when co-opting technical assistance from other parties;
  • when issuing a Xen Project Security Advisory (XSA). This is pre-disclosed to only members on the Xen Project Pre-Disclosure List (see www.xenproject.org/security-policy.html); and
  • when necessary to coordinate with other projects affected

The Xen Project security team will assign and publicly release numbers for vulnerabilities. This is the only information that is shared publicly during the embargo period. See this url for “XSA Advisories, Publicly Released or Pre-Released”: xenbits.xen.org/xsa.

Xen’s latest XSA-191, XSA-192, XSA-193, XSA-194, XSA-195, XSA-196, XSA-197 and XSA-198 Advisory can all be found here:

Any Xen-based public cloud is eligible to be on our “pre-disclosure” list. Cloud providers on the list were notified of the vulnerability and provided a patch two weeks before the public announcement in order to make sure they all had time to apply the patch to their servers.

Distributions and other major software vendors of Xen Project software were also given the patch in advance to make sure they had updated packages ready to download as soon as the vulnerability was announced. Private clouds and individuals are urged to apply the patch or update their packages as soon as possible.

All of the above XSAs that affect the hypervisor can be deployed using the Xen Project LivePatching functionality, which enables re-boot free deployment of security patches to minimize disruption and downtime during security upgrades for system administrators and DevOps practitioners. The Xen Project encourages its users to download these patches.

More information about the Xen Project’s Security Vulnerability Process, including the embargo and disclosure schedule, policies around embargoed information, information sharing among pre-disclosed list members, a list of pre-disclosure list members, and the application process to join the list, can be found at: www.xenproject.org/security-policy.html

Announcing Xen Summit Asia 2010 at Samsung Program Committee

I am pleased to introduce the Program Committee for Xen Summit Asia at Samsung:

  • Patrick Colp
  • Ian Pratt
  • Sang-bum Suh
  • Pradeep Padala
  • Chuck Yoo
  • Todd Deshane
  • Jun Nakajima
  • Eddie Dong
  • Dan Magenheimer
  • Hitoshi Matsumoto

I look forward to a great event this November in Seoul, Korea. I will be posting info on submitting topics later today.

XEN ARM Source Released

From xen-devel mailing list and Sang-bum from Samsung (http://markmail.org/thread/q5h6hpoplfwf6xjs):

I am happy to announce that I have updated source codes for the XenARM project. Sorry for the delay, behind the release plan that I presented at Xen Summit Japan November 2008. Please have a look at newly added and updated sources at http://wiki.xensource.com/xenwiki/XenARM.

-Updated source code:
Xen on ARM VMM and mini OS.

– Newly released source code of:
Xen Tools, Xen Console, Para-virtualized Linux using Kernel version 2.6.21, Linux Native Device Drivers for Network, MTD, Serial, Video, and I2C, and Split Device Driver for keypad.

– FYI, the Xen on ARM supports the following H/W and Emulator environments using ARM9 CPU currently:
Freescale i.MX21 Smartphone Hardware, and ARM Versatile Platform Board Emulator using QEMU v 0.9.1 and uboot v 1.3.4 from Minsung Jang at Georgia Tech.

Xen Summit Tokyo (Asia) – Sample Topics & Confirmed Companies/Universities

The following companies and universities are now confirmed for speaking at Xen Summit Tokyo:

  • Fujitsu, Citrix, VALinux, Samsung, Neterion, Google, NEC, NTT, Marathon, Oracle, & ITOCHU Techno-Solutions Corp.
  • National Research Center of Intelligent Computer Institute of Computing Technology Chinese Academy of Sciences, University of British Columbia, Keio Univ., The University of Tokyo, & University of Tsukuba

Here are some sample topics being presented next month at Xen Summit in Tokyo:

  • Rainbow: Capacity Oriented Virtualized Computing Framework for Virtualized Data Center
  • Services in the Virtualization Plane
  • Network Bandwidth Isolation
  • VMM-based Approach to Detecting Stealthy Keyloggers
  • Controlling System Calls and Protecting Application Data in Virtual Machines
  • Modernization of Kemari using HVM with PV Drivers
  • Practical application of Xen management API with Light Weight Language (Jruby)
  • Evaluation and consideration of the Credit Scheduler for client virtualization

If you have any questions on this event and need more information, please contact me soon as the event is next month.

Xen Summit Highlights

Over the next few days I will be putting out highlights from this year’s Xen Summit in Boston. Many interesting projects, concepts, and “Xen deployments” were presented and I want to share some of these with you. I will also be setting up a new page on Xen.org that contains a list of active Xen development projects to better allow the community to find interesting work to spend your time on.

I want to start my Xen Summit commentary by promoting the Samsung announcement of their release into Open Source of the Xen port for the ARM processor. The project is now live and actively being tracked at http://wiki.xensource.com/xenwiki/XenARM and there is a xen-arm mailing list also available. I will be posting the presentation from Samsung along with the video which includes a great demonstration of moving a DomU from one prototype mobile device to another later today so be sure to check back to the Xen Summit tab on Xen.org later today.