WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] XenAccess Library: Introspection for Xen

from [Mark Williamson] [Permanent Link][Original]
To: "Bryan D. Payne" <bryan@xxxxxxxxxxxx>
Subject: Re: [Xen-users] XenAccess Library: Introspection for Xen
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Thu, 27 Apr 2006 04:38:41 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 26 Apr 2006 20:40:53 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <BF37B5D4-7633-44CD-A4CD-4A72EB3527DF@xxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <D56FF1F2-C3DC-421F-8186-CBEDD3B6FE62@xxxxxxxxxxxx> <200604270107.53004.mark.williamson@xxxxxxxxxxxx> <BF37B5D4-7633-44CD-A4CD-4A72EB3527DF@xxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.1 
> The other thing to consider is non-traditional host-based IDS.
> Through introspection, you need not be limited by the presentation of
> information that you normally get inside the operating system.
> Perhaps viewing memory "through a different lens" could lead to some
> interesting new techniques?  Something to think about.

I think it'll enable lots of things - we need to throw away our preconceptions 
to get the best out of the architecture.  So much more is possible without 
the constraints of just running inside / outside machine boundary of the 
monitored system.

> Indeed.  And, in addition to data aggregation, comparing the data
> from in the host to data from introspection to data on the network
> could lead to some interesting analysis.  For example, what if you
> saw conflicting information about the same system from two sensor
> locations?  Perhaps you just detected stealthy malware?

Indeed.  It's going to need a fairly interesting inference engine to figure 
stuff out (and explain its decisions to administrators afterwards!).  Could 
be quite a cool project, depending on how much groundwork for this sort of 
thing already exists.

> I'm excited about the possibilities.  Within the XenAccess project,
> I'm looking forward to collecting more data (including the driver
> taps that you mentioned and cpu context information), and adding more
> features such as instruction-level replay of a domain's execution
> environment.  So keep watching and hopefully there will be some more
> interesting stuff coming down the pipe.

Just a heads-up that some people have been looking at deterministic replay, so 
you might want to figure out who they are and see what stage they're at.

A filter-style interface for collecting selected events from Xen (as proposed 
by Stanford guys in the introspection paper) would be a nice thing to have 
too.  Stuff like direct syscall monitoring could be implemented this way, for 
instance.

Sounds like you've got a whole load of good plans, anyhow.  I wish you luck!

Cheers,
Mark

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] installing on ia64 machine, Tian, Kevin
Next by Date:  Re: [Xen-users] IpTables config file for Dom0, Piers Dawson-Damer
Previous by Thread:  Re: [Xen-users] XenAccess Library: Introspection for Xen, Bryan D. Payne
Next by Thread:  [Xen-users] Starting xend breaks networking in Dom0, Michael LeMay
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy