Xen project Mailing List

Re: [Xen-devel] Using Xeno for Security Monitoring/Honeypots

To: "Barry Silverman" <barry@xxxxxxxxx>

From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>

Date: Fri, 14 Nov 2003 14:13:44 +0000

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx

Delivery-date: Fri, 14 Nov 2003 14:14:25 +0000

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

> I am a current user of UML as a means for securely logging and monitoring > Honeypot linuxes. UML has a number of features for jailing instances, or for > logging the use of system calls in a manner that can't be interfered with by > the guest OS. > > After looking at Xeno, I am quite intrigued with its architecture and > performance vs UML. The hypervisor looks capable of securely logging and > alerting the outside world in a manner that a compromised guest cannot > detect or alter. Our preferred mechanism would be that the hypervisor sends log messages to a privileged (non honey pot) domain (e.g. domain0), then figures out what to do with them. > How, in Xen, can you log kinds of activity (EG 'exec calls' including > arguments, or read/write calls to certain file descriptors)? My > understanding of how Xen works is that is allows the guest OS to directly > handle its own system call traps, and won't be able to intercept the system > calls executed by the intruder. There's a couple of people currently thinking about how to use for kernel debugging, fault injection and such like. The plan is to put together a standard interface to enable a privileged domain to 'mess with' other domains. Trapping system calls etc should be considered as part of that work. > Merely trapping the system calls may not be enough. If an intruder (with > root access to the guest OS) is aware of these strategies, then they can > create there own Kernel Modules (which can be loaded even if LKM's aren't > configured), that have entry points to the underlying kernel code for > read/write/exec, and can call them using some other API than a system call > trap. > > I was wondering whether the Hypervisor can enable the 386 hardware debugging > trap registers, and use those to transparently find when the kernel is > executing a suitable low-level piece of kernel code, and then log that? Some thought is required, but the debug interface should certainly aim to support this kind of functionality. Help wanted ;-) Cheers, Ian ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.