Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Ian Jackson hits back at criticism of the Xen Project's security

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 2, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

There's been some shouting around in Xen's forums lately, and now Open source aficionado Ian Jackson is trying to defend the Xen Project's overall security features.

The project last week cancelled no less than nine nasties, including a seven-year-old guest-host escape, and has patched a string of security bugs this year including some that threatened to disrupt cloud services.

And the several bugs that were deleted lately have seen some rumblings, and this rather strident effort from Marek Marczykowski of InvisbleThings Lab takes things to a new level with some strongly-worded criticism.

``It's really shocking that such a security hole has been lurking in the core of the hypervisor for so many years. In our opinion, the Xen project should rethink their coding guidelines and try to come up with best practices and perhaps additional mechanisms that would not let similar security flaws to plague the hypervisor ever again. Otherwise, the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work,`` he writes.

Jackson is a Gandalf-grade open source developer. He wrote dpkg, among other fine pieces of code, and has served in very senior roles in open source development efforts. He now works for Citrix and works on the Xen security team.

In the latter role, he felt sufficiently moved by Marczykowski to take to the Xen blog with a personal response.

The thrust of Jackson's argument is that everything is insecure, but the Xen Project treats its code with the best known remedy: sunlight.

“Unlike almost all corporations, and even most Free Software projects, the Xen Project properly discloses, via an advisory, every security vulnerability discovered in supported configurations. We also often publish advisories about vulnerabilities in other relevant projects, such as Linux and QEMU,” he added.

“When I worked for a security hardware vendor, I was constantly under pressure to explain why we needed to do a formal advisory for our security bugs,” he adds. “That is what security-conscious users expect, but our competitors’ sales team would point to our advisories and say that our products were full of security issues. Their products had no publicly disclosed security holes, so they would tell naive customers that their products were superior,” he explained.

Jackson also wrote that “over the last few years, the Xen Project’s code review process has become a lot more rigorous” and says “I do think the Xen Project probably has fewer critical security bugs than other hypervisors (whether Free or proprietary). It’s the best available platform for building high security systems. The Xen Project’s transparency is very good for Xen’s users.”

“Ultimately, a Free Software project like Xen is what the whole community makes it,” he continues. “In the project as a whole, we get a lot more submissions of new functionality than we get submissions aimed at improving the overall security of the software,” he asserted.

“So personally, I very much welcome the contributions made by security-focused contributors, even if that includes criticism,” he added.

Source: The Xen Project.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer