[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Using Xeno for Security Monitoring/Honeypots

  • To: <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
  • From: "Barry Silverman" <barry@xxxxxxxxx>
  • Date: Thu, 13 Nov 2003 12:32:15 -0500
  • Delivery-date: Thu, 13 Nov 2003 17:30:56 +0000
  • Importance: Normal
  • List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

I am a current user of UML as a means for securely logging and monitoring
Honeypot linuxes. UML has a number of features for jailing instances, or for
logging the use of system calls in a manner that can't be interfered with by
the guest OS.

After looking at Xeno, I am quite intrigued with its architecture and
performance vs UML. The hypervisor looks capable of securely logging and
alerting the outside world in a manner that a compromised guest cannot
detect or alter.

The state of the art in computer intrusion precludes the use of network
sniffing (as the intruder's traffic is encrypted using a private static
ssh), or trojaning logging calls into shells (as the intruders typically
supply their own static sash). The OS needs to have a mechanism for secretly
monitoring the plain-text commands that an intruder is executing.

How, in Xen, can you log kinds of activity (EG 'exec calls' including
arguments, or read/write calls to certain file descriptors)? My
understanding of how Xen works is that is allows the guest OS to directly
handle its own system call traps, and won't be able to intercept the system
calls executed by the intruder.

Merely trapping the system calls may not be enough. If an intruder (with
root access to the guest OS) is aware of these strategies, then they can
create there own Kernel Modules (which can be loaded even if LKM's aren't
configured), that have entry points to the underlying kernel code for
read/write/exec, and can call them using some other API than a system call

I was wondering whether the Hypervisor can enable the 386 hardware debugging
trap registers, and use those to transparently find when the kernel is
executing a suitable low-level piece of kernel code, and then log that?

This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.