WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] possible to do analysis at instruction level?

To: John Liu <bradevuu@xxxxxxxxx>
Subject: Re: [Xen-devel] possible to do analysis at instruction level?
From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
Date: Thu, 7 Jul 2011 10:18:38 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 07 Jul 2011 02:19:49 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=m7E/8rFyiNC+p190/f64bNryVtbZJXDJZpHlwDj7SxM=; b=MhtnbguNnWKwKnwIkS3vCYDGvgZOyxxPh1boqafGWSWONCZ01Kd4r0npUpPIxaOswh /zf4+2VKmWxiINlYmzeSNWQkRsDkn3jMXx1ytqUxMveDiq5WFcO9Yia8xkBy4jNFIk/9 2KFjYNV0DsL+GSa6TWWpA/zt8wEoVIt1bk+Z4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CADpQrfQt07V2iRb6Durc_kn_tEVZG6f47sRz3RT1TLoQrJtf_A@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <CADpQrfQt07V2iRb6Durc_kn_tEVZG6f47sRz3RT1TLoQrJtf_A@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Do you just want to see what the guest was doing?

If so, you might look at a rather obscure debugging feature of the
processors called "Branch Trace Store" (BTS).  Basically you set up
some registers to point to an area of memory, and every time the cpu
executes a branch, the BTS microcode will write the source and
destination of those branches into the buffer.  When the buffer
reaches a certain threshold, it will generate an exception, and the
store can be emptied.

You'd have to do your own modifications to Xen to deal with this.  I
have some ancient (~2006) code I could give you for inspiration, but
you're still going to need to basically implement the whole thing from
scratch.

Let me know if you want the code, and I'll give you a pointer to it.
(Very much "as-is, caveat emptor" at this point.)

 -George

On Thu, Jul 7, 2011 at 4:20 AM, John Liu <bradevuu@xxxxxxxxx> wrote:
> Hi,
>
> I'm going to use XEN to do some security analysis.
>
> In the context of VMX(or SVM), it is possible to do analysis at
> instruction level? for example, intercept call/jmp, mov etc.  For
> virtualization tools which use binary translation, we are able to do
> that. In XEN, it's still possible?  I assume the nature of
> para-virtualization and VMX does not provide such mechanism(users are
> allowed to register new vm_exit events?).   Modify compiler(or guest
> OS) to generate vm_exit for particular instructions? even that it
> cannot work for HVM.  Maybe for API-level, things are easier..
>
> The motivation to do instruction-level analysis is OS level info such
> as page table is coarse-grained.
>
> I really appreciate your suggestions and help.
>
> Best,
> Liu
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>