[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Using Xeno for Security Monitoring/Honeypots

> I am a current user of UML as a means for securely logging and monitoring
> Honeypot linuxes. UML has a number of features for jailing instances, or for
> logging the use of system calls in a manner that can't be interfered with by
> the guest OS.
> After looking at Xeno, I am quite intrigued with its architecture and
> performance vs UML. The hypervisor looks capable of securely logging and
> alerting the outside world in a manner that a compromised guest cannot
> detect or alter.

Our preferred mechanism would be that the hypervisor sends log
messages to a privileged (non honey pot) domain (e.g. domain0),
then figures out what to do with them.
> How, in Xen, can you log kinds of activity (EG 'exec calls' including
> arguments, or read/write calls to certain file descriptors)? My
> understanding of how Xen works is that is allows the guest OS to directly
> handle its own system call traps, and won't be able to intercept the system
> calls executed by the intruder.

There's a couple of people currently thinking about how to use
for kernel debugging, fault injection and such like. The plan is
to put together a standard interface to enable a privileged
domain to 'mess with' other domains. Trapping system calls etc
should be considered as part of that work.

> Merely trapping the system calls may not be enough. If an intruder (with
> root access to the guest OS) is aware of these strategies, then they can
> create there own Kernel Modules (which can be loaded even if LKM's aren't
> configured), that have entry points to the underlying kernel code for
> read/write/exec, and can call them using some other API than a system call
> trap.
> I was wondering whether the Hypervisor can enable the 386 hardware debugging
> trap registers, and use those to transparently find when the kernel is
> executing a suitable low-level piece of kernel code, and then log that?

Some thought is required, but the debug interface should
certainly aim to support this kind of functionality. Help wanted ;-)


This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.