Xen Project wants permission to reveal fewer vulnerabilities
Should bugs that don't expose user data be left alone, saving time and effort?
Poll The Xen Project is asking if it can disclose fewer bugs.
“Issuing advisories has a cost,” the project's George Dunlap writes. “It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, build, and test patches; and it costs many of our users time to decide whether to do an update, and if so, to test and deploy it.”
“Given this, the Xen Project Security Team wants to clarify when they should issue an advisory or not: the Xen Security Response Process only mentions 'vulnerabilities', without specifying what constitutes a vulnerability.”
Dunlap's post goes on to ask the Xen community to consider two changes to the Xen Security Policy, namely the insertion of the following new clause:
Criteria 2c: Leaking of mundane information from Xen or dom0 will not be considered a security issue unless it may contain sensitive guest or user data
Dunlap also wants Criteria 4, which deals with vulnerability disclosure, to add the following:
If no operating systems are vulnerable to a bug, no advisory will be issued.
There's a thread here on
xen-devel to debate the changes. At the time of writing there's only a handful of posts, from just three people including Dunlap.
Dunlap also suggests that some bugs need not be classified as vulnerabilities, offering the following classifications as worthy of the name “vulnerability”:
1a. The source is the guest userspace, guest kernel, or QEMU stubdomain, and the target is the hypervisor, dom0 and toolstack.
1b. The source is the guest userspace, guest kernel, or QEMU stubdomain, and the target is another guest.
1c. The source is guest userspace, and the target is the guest kernel, or other guest userspace processes.
Privilege escalation, denial of service or information leakage will mostly be considered vulnerabilities, but not if the target is an unprivileged guest.
Dunlap also suggests the vulnerabilities in experimental versions of Xen not be notifiable and wants the same treatment when there's no “known combination of software in which the vulnerability can be exploited.”
Xen's had lots of vulnerabilities of late, among them a purely hypothetical bug. The Xen Project has also struggled to keep up with its own patching process .
The Register's virtualization desk has no answers here. But we do have a poll. So tell us what you'd like to see, or hit that
xen-devel thread, which we'll keep an eye so we can report on interesting feedback. ®