Hi All.
I'm playing around with xen 4.12 on linux v5.
I hvae some windows 10 domus running in stubdomains. I was satisfied
with them, so far. In xen 4.12 dm_restrict came into the game, and I'm
wondering which solution is more secure.
Due to as per my current understanding, both solutions had been mainly
invented to increase HVMs (Windows guests) security.
Stubdomains at this stage however seemes to be more mature and a better
approach for me.
stubdomains ar erunning a minios and that runs in a root process on the
host, while dm_restrict runs on the full-blown qemu but un non-root user
accounts.
I have a feeling, that for a non-friendly guest braking out a stubdomain
seemes to more complicated (having less attack vector) then a dm_restrict.
Anyone has some ideas please?
--
?li?s Tam?s
Thomas Elias
ETIT[nwpro] KFT, ?gyvezet?-H?l?zatbiztons?gi specialista
ETIT[nwpro] Ltd, General Manager-Network security specialist
Tel. HU: +36/30-497-1626
OpenPGP pubkey: http://etit.hu/doc/et-pub.asc
Okleveles m?rn?k-informatikus (MSC)
Master of Science in Information Technology (MSC)
Licenced Penetration Tester (TM15-047)
Kapcsolat: http://etit.hu/index.php/hu/kapcsolat
Jogi nyilatkozat: http://etit.hu/disclaimer-email-hu.txt
Contact: http://etit.hu/index.php/en/contact
Disclaimer: http://etit.hu/disclaimer-email-en.txt
I'm playing around with xen 4.12 on linux v5.
I hvae some windows 10 domus running in stubdomains. I was satisfied
with them, so far. In xen 4.12 dm_restrict came into the game, and I'm
wondering which solution is more secure.
Due to as per my current understanding, both solutions had been mainly
invented to increase HVMs (Windows guests) security.
Stubdomains at this stage however seemes to be more mature and a better
approach for me.
stubdomains ar erunning a minios and that runs in a root process on the
host, while dm_restrict runs on the full-blown qemu but un non-root user
accounts.
I have a feeling, that for a non-friendly guest braking out a stubdomain
seemes to more complicated (having less attack vector) then a dm_restrict.
Anyone has some ideas please?
--
?li?s Tam?s
Thomas Elias
ETIT[nwpro] KFT, ?gyvezet?-H?l?zatbiztons?gi specialista
ETIT[nwpro] Ltd, General Manager-Network security specialist
Tel. HU: +36/30-497-1626
OpenPGP pubkey: http://etit.hu/doc/et-pub.asc
Okleveles m?rn?k-informatikus (MSC)
Master of Science in Information Technology (MSC)
Licenced Penetration Tester (TM15-047)
Kapcsolat: http://etit.hu/index.php/hu/kapcsolat
Jogi nyilatkozat: http://etit.hu/disclaimer-email-hu.txt
Contact: http://etit.hu/index.php/en/contact
Disclaimer: http://etit.hu/disclaimer-email-en.txt
Attached Files:
-
pEpkey.asc (2.39 KB)