WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xense-devel

Re: [Xense-devel] xenwatch and xenswitch processes

To: "Joop Boonen" <joop_boonen@xxxxxx>
Subject: Re: [Xense-devel] xenwatch and xenswitch processes
From: "Bryan D. Payne" <bryan@xxxxxxxxxxxx>
Date: Tue, 18 Jul 2006 08:41:07 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 18 Jul 2006 05:41:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <36454.62.140.134.15.1153223150.squirrel@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <36454.62.140.134.15.1153223150.squirrel@xxxxxxxxxxxxxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
I have the following question. I've used xen what i see in a DomU is the
xenswitch and xenwatch processes. When i have users on a system or a
firewall on DomU is hacked they know it's running on xen. Is there a way
to not show/hide these processes?

While you might be able to hide the processes (e.g., using a rootkit), I think that there's a larger issue here. It sounds like you're goal is to completely hide the fact that a machine is running in a domU. And, for better or worse, this is very hard to do.

Consider, for example, Red Pill. This small program can detect when it's running in a virtualized environment:

http://invisiblethings.org/papers/redpill.html

Cheers,
bryan


-
Bryan D. Payne
Graduate Student, Computer Science
Georgia Tech Information Security Center
http://www.bryanpayne.org



Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
<Prev in Thread] Current Thread [Next in Thread>