[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Re: How to intercept memory operation in Xen

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: Abhinav Srivastava <abhinavs_iitkgp@xxxxxxxxxxx>
Date: Mon, 13 Nov 2006 20:18:18 +0000 (GMT)
Delivery-date: Mon, 13 Nov 2006 12:18:36 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=qLKI4maeevNVqDi1l5f0iYYSQaHerFRjUz1l77Y88wasoIUeWbtmxGpsczDhxlrTKLshWsL7yPGCSivEeK51i+1SUbAe2RQijMAoDLVB/avlQx2pUfkzqonbrEx/wiDeRlpQiIC7hI3/TnDhsamDQoTkE7b3thBRVF2MyhB5sZY= ;
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thanks for your reply.

I know if user based application access to Kernel space memory, they will get the segfault. However, in many cases, there are vulnerabilities in the kernel and
that allows the hackers to write to the portion of kernel memory that could give them root privileges or arbitrary code execution. I would like to know the address at which applications are writing and if i could get the address of that memory location in dom0, i can check whether this address belongs to kernel memory or user memory. If it is the part of kernel memory, it should not be allowed.

So, in a sense I do not want to distinguish good/bad page faults. It is like page fault happens but for what address. Please let me know if i am soundig correct or not.

Can you please let me know if I would want to achieve this, how i should start? Is this difficult to achieve?

Also, I would like to know how to intercept hypercalls and system calls in Xen? It could be useful to provide system call and hypercalls logging mechanism. It would be great if you could provide me some pointers to start with.

Thanks,
Abhi

Anthony Liguori <aliguori@xxxxxxxxxx> wrote:

Abhinav Srivastava wrote:
>
> Hi all,
>
> I am new to the Xen and currently using Xen 3.0.3. My goal is to provide
> memory logging facility in Dom0. If any guest domain (DomU) application
> tries to access any memory area, I would like to know in dom0 what area
> they are accessing. So that if any user space applications try to access
> kernel memory then i can see in dom0 and using my detection system, i
> can say that it is illegal memory request as user space applications are
> not allowed to use kernel memory. I have three Qs related to this:

You would have a much easier time just modifying the Linux kernel. Xen
isn't going to help you much here.

> 1) Is this doable?

Exceptions do go through the hypervisor however page faults are not
usually a sign of something bad happening. Linux, for instance, uses
copy-on-write and on-demand paging which means in many circumstances,
page faults are not a sign of misuse of memory.

I don't think there's any generic way of identifying whether a page
fault is a "good" page fault or a "bad" page fault at the hypervisor
level. The hypervisor merely forwards the fault to the guest and the
guest then decides what action to take (update a page table, kill a
process, etc.). To complicate matters further, some apps catch SEGV and
handle it themselves. That makes the potential recovery behavior
totally non-deterministic. You could potentially try to track
heuristically whether a PTE update occurs after a page fault at the
hypervisor level but that would be easily defeatable (which means it
isn't useful for an IDS system). At the end of the day, you really have
to modify the domU kernel.

You should look at some of the bug reporting tools in Linux. They seem
to be doing something to hook all process crashes. Ubuntu has a new bug
crash tool that you could probably start with. This would put you in
domU userspace though...

Regards,

Anthony Liguori

> 2) If yes, how should I start with? Do i need to intercept hypercalls?
> If yes, how to do this?
>
> 3) To intercept memory operation, do i need to change in the Xen code?
> If yes, it would be great if you could point me exact file where changes
> are to be made.
>
> 4) Can it be done using some application or IDS in dom0 with some hooks
> without changing the Xen code?
>
> I would really appreciate your help.
>
> Thanks,
> Abhi
>
> ------------------------------------------------------------------------
> Find out what India is talking about on - Yahoo! Answers India
>
> Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8.
> Get it NOW
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Find out what India is talking about on - Yahoo! Answers India
Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- RE: [Xen-devel] Re: How to intercept memory operation in Xen
  - From: Petersson, Mats

References:
- [Xen-devel] Re: How to intercept memory operation in Xen
  - From: Anthony Liguori

Prev by Date: Re: [Xen-devel] static ip for hvm's
Next by Date: [Xen-devel] [PATCH] [XEN][POWERPC] Change license on public/ headers from GPL to BSD
Previous by thread: [Xen-devel] Re: How to intercept memory operation in Xen
Next by thread: RE: [Xen-devel] Re: How to intercept memory operation in Xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.