IBM Pledges To Make Xen More Secure

An anonymous reader writes "In the latest posting on the Xen developer list, IBM pledges to make Xen more secure by porting its secure hypervisor (sHype) architecture to it. In their posting, IBM discusses an SELinux like access control frame work, resource control and monitoring and trusted computing support for Xen. It appears that a lot is happening on the Xen front (for example, the announcement of XenSource Inc. and Intel's code drop in the xeno-unstable.bk tree for their super secret VT CPU)."

Did anyone else...

[Lostie]

... think of Half-Life when reading the headline?

Re:Did anyone else...

[Aeonite]

Yes. I'm thinking Xen is already as secure as it's going to be thanks to the efforts of one Gordon Freeman.

Eat that, Combine.

I'm lazy, refuse to RTFA

[LowneWulf]

.... seriously people, when describing some new feature of some obscure software package, can you PLEASE tell us WHAT IS IS!?!??!one!!?

"And now, Fronzo v2.1.e, now 21% more secure!"

Re:I'm lazy, refuse to RTFA

[inox]

xen is certainly not an obscure software package.
read more at http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

its a virtual machine monitor that allows you to run concurrently multiple OS on the same machine, achieving the same kind of functionnality than vmware, although the approaches are different

Re:I'm lazy, refuse to RTFA

[Skasta]

Slashdot users may not need this, but it is usefull for businesses of all sizes. That is why most corporations like IBM, HP, Intel and Novell are starting to have employees work on Xen.

Re:I'm lazy, refuse to RTFA

[Meostro]

I repeat: "And that's not obscure?"

useful != not obscure

Please consult the definition of obscure to understand my intent. #3 is the best fit for what i'm trying to convey, "relatively unknown" versus "useless" or anything similar.

I have no doubt that it's useful to somebody (otherwise IBM et al would have no interest in it), but that doesn't make it any less obscure. Most organizations will throw another box on the line instead of parallelizing / virtualizing the OS, it's just Easier(TM). It might be more secure to set up different VMs, but that's probably trickier than setting up another box and slapping a firewall in between. Also, if an org is running several apps on a single box they should already understand the security implications of doing so, and that's their choice to make.

Just for curiosity's sake, what separate purposes do system file flags, ACLs and SELinux templates serve? Never worked with it, have no idea what they are beyond the generic sense...

Easier is a registered trademark meaning "how we've done it forever, and we're not going to change because change is bad".

Re:I'm lazy, refuse to RTFA

[PSC]

its a virtual machine monitor that allows you to run concurrently multiple OS on the same machine, achieving the same kind of functionnality than vmware, although the approaches are different

XEN, while unlike the VMware Workstation and GSX Server versions, works pretty similar to VMware ESX Server. It is kind of like a micro kernel providing a hardware abstraction layer and scheduling mechanism. The first guest image booted controls the abstraction layer, pretty much like XEN.

Well, the pricing approach of XEN is fundamentally different, though.

Question

[af_robot]

What is XEN?!

Re:Question

[BlackStar]

One cannot simply hear the answer, for the answer is inside you waiting for you to quiet your mind so that it may rise to the surface. To achieve this, meditate upon the forgotten reference that was and is a part of the unseen aspect of the article. Meditate upon the vista of this.

What this all means

[Anthony+Liguori]

Xen is an open source hypervisor for intel hardware. A hypervisor allows multiple operating systems to run side-by-side simultanously. Don't think VMware, think partitioning on a mainframe.

Intel's VT technology is hardware support for partitioning. Google it.

sHype is a research hypervisor at IBM that implements advanced security mechanisms much in the same way that SELinux does.

So, think mainframe style partitioning with the security of SELinux.

Doesn't run Windows

[cerberusss]

I wish it would run Windows, but it doesn't. That would mean a cheap alternative to VMWare and would also mean a much higher usage (and thus testing).

They give a reason:

Longer term, virtualisation features in next-generation CPUs should make it much easier to support unmodified OSes: at that time we will reconsider Windows support.

Although I understand, I'm unsure why VMWare and Bochs can run Windows and Xen can't...

Re:Doesn't run Windows

[keebler]

It's because Xen requires modifications to the OS in order to function. An earlier version supported XP (sorta), but it hasn't been maintained.

VMWare doesn't require OS modifications because it virtualizes the entire machine (slow). Xen does, because it only fully virtualizes some resources, and forces the OS to go through the hypervisor (not as slow).

Re:Doesn't run Windows

[Eric+Smith]

There are instructions on the Intel that are not easily virtualized (read this as expensive to run). That is what you get with VMWare/Bochs over Xen.

Both Intel and AMD have stated that they plan to add virtualization support to forthcoming CPUs, which will have at least two useful benefits:

1. VMware will run with much lower overhead, because it will no longer have to prescreen instruction sequences for those that have to be simulated (or binary translation, or whatever it s they're currently doing)
2. Xen will be able to support unmodified guest operating systems

I assume that the latter is what the mentioned Intel code drop is all about.

Intel has mentioned two (different?) virtualization features, code named "Vanderpool" and "Silvervale". AMD calls theirs "Pacifica", and it is apparently not a clone of the Intel schemes, though it is expected to provide the same benefits.

Re:Questions

[Transdimentia]

The first thing that pops into my mind would be for partitioning your machine into slices for hosting/dedicated customers while preventing them from walking on each other or even knowing they are there?

Re:Questions

[Chirs]

It's roughly 10 times faster than UML.

Re:Questions

[Paul+Crowley]

I'd assumed you were greatly exaggerating for dramatic effect, but benchmarks show a range from almost no improvement to a factor of 5.

An idea

[Mitchell+Mebane]

I wonder if ReactOS has any plans for supporting Xen in the future? They're not at a "Windows replacement" stage yet, but the project seems to be moving pretty fast.

Re:Questions

[Lemming+Mark]

In addition to other posted comments, Xen can also perform live migration (move running virtual machines to another host without stopping them) and can run Linux device drivers in sandboxed, restartable domains.

Re:What this all means-Pocket Mainframe.

[SunFan]

In fact if it wasn't for accidents of history. Our computers would be so much more than they are now.

Well, I figure Microsoft has set us back twenty years. The UNIX old-is-new-again migration is beginning to repair that damage, especially with recent advancements that leave Windows feeling lonely. Only Microsoft isn't UNIX, anymore, except for fringe systems.

One good thing about Microsoft is it allowed people to learn a little about what they actually want in a computer, which helped drive refinements in Linux/UNIX. This is ultimately a good thing, and will better allow Microsoft's business model to become obselete as more people get what they want in open systems.