Thank you for the suggestions. My purpose is only want to watch what
guest is doing, but also modify its execution. For example, rewrite
operand of call *** instruction. It seems there is no a general way
to do this(without modifying guest OS), which is natural since XEN is
meant to be a hypervisor instead of analysis tool.
VMSafe is SDK of VMWARE for guest security inspection. I think guests
running on XEN also have security concerns. It *might* be a good idea
to add security analysis tools that are not part of the hypervisor. I
am working on isolating malicious drivers into different address
space(s) so that malicious behaviors cannot impact guest OS.
2011/7/8 George Dunlap <george.dunlap@xxxxxxxxxxxxx>:
> Please reply to the list, so that everyone can benefit from our discussion.
> On 07/07/2011 04:27 PM, John Liu wrote:
>> Hi George,
>> Thank you for the suggestions. My purpose is only want to watch what
>> guest is doing, but also modify its execution. For example, rewrite
>> operand of call *** instruction. It seems there is no a general way
>> to do this, which is natural since XEN is meant to be a hypervisor
>> instead of analysis tool.
>> VMSafe is SDK of VMWARE for guest security inspection. I think guests
>> running on XEN also have security concerns. It *might* be a good idea
>> to add security analysis tools that are not part of the hypervisor. I
>> am working on isolating malicious drivers into different address
>> space(s) so that malicious behaviors cannot impact guest OS.
>> 2011/7/7 George Dunlap<George.Dunlap@xxxxxxxxxxxxx>:
>>> Do you just want to see what the guest was doing?
>>> If so, you might look at a rather obscure debugging feature of the
>>> processors called "Branch Trace Store" (BTS). Basically you set up
>>> some registers to point to an area of memory, and every time the cpu
>>> executes a branch, the BTS microcode will write the source and
>>> destination of those branches into the buffer. When the buffer
>>> reaches a certain threshold, it will generate an exception, and the
>>> store can be emptied.
>>> You'd have to do your own modifications to Xen to deal with this. I
>>> have some ancient (~2006) code I could give you for inspiration, but
>>> you're still going to need to basically implement the whole thing from
>>> Let me know if you want the code, and I'll give you a pointer to it.
>>> (Very much "as-is, caveat emptor" at this point.)
>>> On Thu, Jul 7, 2011 at 4:20 AM, John Liu<bradevuu@xxxxxxxxx> wrote:
>>>> I'm going to use XEN to do some security analysis.
>>>> In the context of VMX(or SVM), it is possible to do analysis at
>>>> instruction level? for example, intercept call/jmp, mov etc. For
>>>> virtualization tools which use binary translation, we are able to do
>>>> that. In XEN, it's still possible? I assume the nature of
>>>> para-virtualization and VMX does not provide such mechanism(users are
>>>> allowed to register new vm_exit events?). Modify compiler(or guest
>>>> OS) to generate vm_exit for particular instructions? even that it
>>>> cannot work for HVM. Maybe for API-level, things are easier..
>>>> The motivation to do instruction-level analysis is OS level info such
>>>> as page table is coarse-grained.
>>>> I really appreciate your suggestions and help.
>>>> Xen-devel mailing list
Xen-devel mailing list