WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] XenAccess Library: Introspection for Xen

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] XenAccess Library: Introspection for Xen
From: "Bryan D. Payne" <bryan@xxxxxxxxxxxx>
Date: Mon, 8 May 2006 21:34:38 -0400
Cc: steve@xxxxxxxxxxxxxx
Delivery-date: Mon, 08 May 2006 18:35:18 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <E1Fbi1L-0000T7-HL@host-192-168-0-1-bcn-london>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E1Fbi1L-0000T7-HL@host-192-168-0-1-bcn-london>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Would XenAccess implementation and functionality be the same for both
paravirtualized and fully virtualized (using VT) guests?

I imagine that the changes for VT guests would range somewhere from none to minimal. However, I haven't actually used XenAccess on VT hardware yet, so I can't say for sure. If you try it out, please let me know what you find.

Would the only difference between introspection on a Linux vs Windows guest
be the closed and undocumented nature of the Windows kernel?

Pretty much. The nice thing is that memory access is more hardware dependent than OS dependent. Therefore, you should be able to access virtual addresses on windows just like you can on linux. The trick is knowing which address to access :-) On linux you can leverage the source code, system map file, etc to see how things are laid out in memory. On windows, it's going to be a little tricker to figure out which addresses to access.

I'm more knowledgeable with linux than I am with windows. So perhaps there's some information out there that I'm not aware of that would help with this situation. But, even without extra information, one should be able to discern quite a bit of information through reverse engineering techniques.

How difficult would it be to get a look at a running guest's file system?
Linux seems easy, but I believe Windows guests use vmx images; can the
Windows file system be viewed naturally from the outside?

Having not used VT hardware, I'm not familiar with the vmx image files. But, assuming that the format is well known, you should be able to access its contents from dom0. Another option is to tap the device access between the frontend and backend drivers, which would allow you to view data as it is being accessed.

Are there any other potential obstacles or difficulties that would make various introspection techniques on Windows impossible, difficult, or merely
a nuisance?

I believe that introspection with Windows should be very doable. In fact, if you look at the XenAccess source code, you'll see that I've already started breaking out OS-specific code. My plan is to work on support for other OSes once linux is up and running. Of course, if you have any success with windows first, I'd be happy to integrate the code into subversion.

If you have other questions, feel free to drop me a line and/or post to the XenAccess mailing list.

Cheers,
bryan


-
Bryan D. Payne
Graduate Student, Computer Science
Georgia Tech Information Security Center
http://www.bryanpayne.org



Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>