Cloisonement Système, Guide ANSSI


Sorry this is only available in French. The ANSSI published the following this month:

@mickael I lack the necessary expertise to know if that is a good guide. If it is, maybe it contains elements that may be useful for the threat model including the Qubes based journalist workstation ? Or maybe it’s too generic.

It does mention Xen but says it is the same kind of virtualization as KVM which is not entirely accurate. With KVM, the vast majority of the time, you run a Linux kernel from a Linux kernel. With Xen you have an hypervisor which runs (most of the time) a Linux kernel. They are two entirely different code base which makes things a lot more complicated for hardware support (that’s a known problem).

I also imagine (but have no clue really) that it could be more complicated to review from a security perspective because you have two code bases (Xen & Linux) instead of one (Linux). But maybe it is actually simpler for some reason ? I’m interested in your opinion on this matter.


@dachary sorry I had not seen my mention in this! ANSSI makes pretty good documentation in French. The document you mention is a good, high-level approach to sandboxing principles.
It provides good overview of some design principles used in Qubes as well as what’s being done in the securedrop-workstation project. They also reference NCC group’s excellent work on container security ( 1 and 2 )

They seem to only distinguish os (full) virtualization (KVM, Xen) from containers (which share a same kernel) but as you’ve stated, don’t go into the details of the different virtualization methods.

1 Like