Xen and Vulnerabilities¶
All of the kernel security enhancements in the ASL kernel do work with Xen, except for two new security enhancements to the kernel. Specifically, Xen does not support KERNEXEC and UDREF explained in more detail below, and ASL will report these are vulnerabilities when using Xen. This is a design choice of Xen, and neither a weakness in ASL nor is it something we can, unfortunately, address.
With that said, its important to recognize that all kernels on Xen contain at least these two weakness, and non-ASL kernels contain a lot more fundamental flaws and weaknesses that can not be fixed with patches, they are fundamental design flaws. The ASL kernel, however, does not contain these design flaws, and even on the Xen platform is significantly more resistent to attacks than any other Linux kernel. If these vulnerabilities are too risky for your needs, then we recommend you use a different virtualization technology. Using a non-ASL kernel with Xen, or any virtualization technology will leave your system extremely vulnerable to attack.
- KERNEXEC is the kernel land equivalent of PAGEEXEC and MPROTECT, that is, this enhancement makes it harder for an attacker to inject and execute “foreign” code in kernel memory itself. Xen does not support this enhancement, although other virtualization technologies do support these enhancements (e.g. kvm, VMWare). This is a limitation of Xen, not of the ASL kernel. This enhancement is simply not possibly with Xen.
- This ensures that userland and kernel address spaces are properly separated. This addresses NULL dereference based exploits, for example. This feature makes sure that data segments for userland and the kernel are properly limited, either upwards (userland) or downwards (kernel). Xen does not support this enhancements, although other virtualization technologies do support these enhancements (e.g. kvm, VMWare). This is a limitation of Xen, not of the ASL kernel. This enhancement is simply not possibly with Xen.
- Additional information about UDEREF is provided here .