Security is on everyone's mind these days, software will always have bugs
that can be exploited. In virtualisation, those bugs are more often found
in device emulators and the hypervisor itself includes a few of those, for
performance reason. How can we mitigate the severity of those bugs?
This presentation will talk about limiting the impact of bugs in device
emulators by deprivileging their execution. Right now, they run with the
same privileged as the rest of the Xen hypervisor, but we will show what we
can do to execute these emulations in a deprivileged context.
This solution comes with a performance cost. We will learn the cost
compared to the original and try to apply this to emulators that are either
not used often or that takes much more time to execute than to switch to a
deprivileged context.