WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-devel] xen strace analysis

from [Sanjam Garg] [Permanent Link][Original]
To: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
Subject: RE: [Xen-devel] xen strace analysis
From: Sanjam Garg <sanjamg@xxxxxxxxx>
Date: Wed, 28 Feb 2007 10:09:22 -0800 (PST)
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 28 Feb 2007 10:08:42 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=X7EKp09L3diruf54j2jldm1z8FfSJ7BC9xltN8M6/pirK/DkeJyEoDVbwTckPKP5aKliKaLMD+CvieLmMlLD/pstHBDWYhahcr3diMmDiPzasvAGw5lnatLoG7L/P1UpBF4rLi0nAk8pKN54CNs94vjZOzyHM7AWNyKXX4Mf/r0=;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <907625E08839C4409CE5768403633E0B018E19EC@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi

Thanks for the quick reply. These is an issue here. Since I intend to do system call analysis, doing it from within domU prevents my IDS to be independent of the kernel integrity. Doing it in the dom0 and using a small agent in the domU does not help assure that information received form domU is not tainted. I understand that direct information of system call is not possible. Nonetheless, is there  a way I can extrapolate information about the system call analysis from the low level information in Xen.
UML(User Mode Linux) does helpachieve such functinality as per the paper.  (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf)


Sanjam

"Petersson, Mats" <Mats.Petersson@xxxxxxx> wrote:


> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> Sanjam Garg
> Sent: 28 February 2007 17:38
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-devel] xen strace analysis
>
> Hi
>
> I am looking for a mechanism to gather information about
> system calls that a guest Operating system is making. Any
> references for development of IDS's with Xen would also help.

Xen doesn't have any clue what system calls the guest-OS is making (and
should not know this). Xen itself only gets involved for certain special
operations which, generally, either deal with page-table
(memory-mapping) handling or inter-domain communication (event-channel),
and of course domain life-cycle (creating, destroying, pausing and
unpausing, save and restore, and migration). With a few other
exceptions, everything else is handled within the guest itself. That's
for the para-virtual case. In a fully-virtualized domain, there's even
less knowledge of what's going on in the guest.

So whilst the hypervisor may be able to surmise from this knowledge that
a guest changed its pagetables around, it's not sufficiently aware of
WHY to say whether that was done because of a fork, mmap or malloc call
for example. It can determine that some communication happened between
the guest and dom0, but not whether it's a file-read or a socket network
operation, etc, etc.

The only way to know what the guest is doing is to sit inside the
guest-OS and perform something like strace (I think there are some ways
to do a "system-wide strace", so you'd see exactly which system calls
are done by which process).

--
Mats
>
> Thanks
> Sanjam
>
>
> ________________________________
>
> Don't pick lemons.
> See all the new 2007 cars
> TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at Yahoo! Autos.

_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb
> mV3Y2Fycw-->
>



8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-devel] Error in XendCheckpoint: failed to flush file, Graham, Simon
Next by Date:  Re: [Xen-devel] Error in XendCheckpoint: failed to flush file, Keir Fraser
Previous by Thread:  RE: [Xen-devel] xen strace analysis, Petersson, Mats
Next by Thread:  RE: [Xen-devel] xen strace analysis, Petersson, Mats
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy