This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-research] Intercepting memory operations of a guest

To: "Sina Bahram" <sbahram@xxxxxxxxx>
Subject: Re: [Xen-research] Intercepting memory operations of a guest
From: "Todd Deshane" <deshantm@xxxxxxxxx>
Date: Mon, 8 Dec 2008 10:15:10 -0500
Cc: xen-research@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 08 Dec 2008 07:15:15 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=Gv9yrL5I5oyGc2uoaZYyO6Bia99F5PS6604jd9Tdmj8=; b=QgMIG3s3pfVmoYH37NaE70djUqBlAmpbJhF3ViZRW6/DHtSAZd8ed3aetDTJBL9IGy WLPAFXtDQRWP4ldR6yNXUq4xx/0BrlgHbyFbd92L80IO4dhV5HiRcr0oLM9dcXraWFih Kcjhbx1GhyoyWPIqjh1COmgDNPCT7NsTcXQ0E=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:cc:in-reply-to :mime-version:content-type:content-transfer-encoding :content-disposition:references; b=ZIDU0uzcgDkdM+hbHmXB7Pe5bJWY7S3reJIbc5sD8jj9V1dJgPnC93A8zpyV0HgWsD Q+pn8cSQorEsPjw1Av7SBcx5NspGCgBvr8LCm8XSpE+Sx7l1tdZRsYFoddhMB3I9X9D2 EQ635cxq7UvFPiFRU1JfkDVWMsjCtuUukOALE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <A2A4EB83B92E47CEA18E21773EE7D8E9@neutrino>
List-help: <mailto:xen-research-request@lists.xensource.com?subject=help>
List-id: Research Issues on Xen <xen-research.lists.xensource.com>
List-post: <mailto:xen-research@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-research>, <mailto:xen-research-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-research>, <mailto:xen-research-request@lists.xensource.com?subject=unsubscribe>
References: <A2A4EB83B92E47CEA18E21773EE7D8E9@neutrino>
Reply-to: deshantm@xxxxxxxxx
Sender: xen-research-bounces@xxxxxxxxxxxxxxxxxxx
On Sun, Dec 7, 2008 at 8:57 PM, Sina Bahram <sbahram@xxxxxxxxx> wrote:
> Hi all,
> Sorry for any cross posting. I sent this to the xen-devel list and the
> xen-se list as well.
> I'm wanting to modify some xen source code for the purposes of some
> research, exploration, and testing of some security concepts.
> I have a few questions after looking through the source.
> All of the below applies to 32-bit guests.
> #1: Is there anyway possible to trap/insert some code at/hook into, any
> modification of a PV guest's page table. Anything like a hypercall handler I
> can plugin to, a function or series of functions that always gets called,
> something I can provide a call back to, or anything else?
> #2: For some research purposes, I plan on replicating portions of the page
> table of a guest, only those pages of the guest's kernel. I hope to do this
> by the supervisory bit being set; however, I welcome any suggestions of a
> better approach to detecting when kernel pages are being modified?
> In general, to explain any questions I haven't specifically asked above; I'm
> looking for the appropriate place in xen to intercept any writes, reads, and
> executes of a guest's memory.
> Also, would such activities be easier or more difficult with hvm guests?
> Since xen has to provide hvm guests an individual CR3, would such a place be
> much easier to hook into because of any abstraction layers that already
> exist for such things?
> The only reason I picked pv guests was that the semantics of what is a
> kernel page and what is not might not be as easy to determine in an hvm
> guest, but perhaps this is not the case?

You may want to take a look at the Xen Introspection Project:


Todd Deshane

Xen-research mailing list

<Prev in Thread] Current Thread [Next in Thread>