Re: [Qemu-devel] A question about postcopy safety

[Dr. David Alan Gilbert]

* address@hidden (address@hidden) wrote:
> Hi David,

Hi Liutao,

> I'm studying the process of postcopy migration, and I found that the memory 
> pages migrated from source to destination are not encrypted. Does this make 
> the VM vulnerable if it's memory has been tampered with during postcopy 
> migration?
> 
> I think precopy has less risk because the source's memory is always altering. 
> If one page is tampered with during network transfer, with source still 
> running, then a later version of that page may keep updating. So it would be 
> quite difficult to track all different page versions, and tamper with the 
> final version of one page.
> 
> But when it comes to postcopy, the situation is riskier because one specific 
> page is only transferred once. It's easy to capture all transferring memory 
> pages, tamper and resend.

I don't think there's much difference between precopy and postcopy for security;
the only secure way to do migration is over an encrypted transport and that 
solves
it for both precopy and postcopy.

I don't think it would be that hard for a malicious person to track the pages 
in precopy;
and indeed what they could do is wait until an interesting page comes along
(say one with a hash or the data they're interested in) and then insert a new 
version
of that page later with their own nasty version on - postcopy wouldn't allow
that second version.

The challenge is to get a nice fast high speed encryption layer, and for 
post-copy
it should have low added latency.

> 
> When the memory been tampered with, the safety of the VM will be compromised.
> 
> Any ideas? thank you!Liutao

Dave

--
Dr. David Alan Gilbert / address@hidden / Manchester, UK