[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] possible to do analysis at instruction level?



Hi George,

Thank you for the suggestions. My purpose is only want to watch what
guest is doing, but also modify its execution. For example, rewrite
operand of call *** instruction.  It seems there is no a general way
to do this(without modifying guest OS), which is natural since XEN is
meant to be a hypervisor instead of analysis tool.

VMSafe is SDK of VMWARE for guest security inspection. I think guests
running on XEN also have security concerns. It *might* be a good idea
to add security analysis tools that are not part of the hypervisor. I
am working on isolating malicious drivers into different address
space(s) so that malicious behaviors cannot impact guest OS.

Thanks,
John(Zhi)



2011/7/8 George Dunlap <george.dunlap@xxxxxxxxxxxxx>:
> Please reply to the list, so that everyone can benefit from our discussion.
> :-)
>  -George
>
> On 07/07/2011 04:27 PM, John Liu wrote:
>>
>> Hi George,
>>
>> Thank you for the suggestions. My purpose is only want to watch what
>> guest is doing, but also modify its execution. For example, rewrite
>> operand of call *** instruction.  It seems there is no a general way
>> to do this, which is natural since XEN is meant to be a hypervisor
>> instead of analysis tool.
>>
>> VMSafe is SDK of VMWARE for guest security inspection. I think guests
>> running on XEN also have security concerns. It *might* be a good idea
>> to add security analysis tools that are not part of the hypervisor. I
>> am working on isolating malicious drivers into different address
>> space(s) so that malicious behaviors cannot impact guest OS.
>>
>> Thanks,
>> John(Zhi)
>>
>>
>> 2011/7/7 George Dunlap<George.Dunlap@xxxxxxxxxxxxx>:
>>>
>>> Do you just want to see what the guest was doing?
>>>
>>> If so, you might look at a rather obscure debugging feature of the
>>> processors called "Branch Trace Store" (BTS).  Basically you set up
>>> some registers to point to an area of memory, and every time the cpu
>>> executes a branch, the BTS microcode will write the source and
>>> destination of those branches into the buffer.  When the buffer
>>> reaches a certain threshold, it will generate an exception, and the
>>> store can be emptied.
>>>
>>> You'd have to do your own modifications to Xen to deal with this.  I
>>> have some ancient (~2006) code I could give you for inspiration, but
>>> you're still going to need to basically implement the whole thing from
>>> scratch.
>>>
>>> Let me know if you want the code, and I'll give you a pointer to it.
>>> (Very much "as-is, caveat emptor" at this point.)
>>>
>>>  -George
>>>
>>> On Thu, Jul 7, 2011 at 4:20 AM, John Liu<bradevuu@xxxxxxxxx>  wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm going to use XEN to do some security analysis.
>>>>
>>>> In the context of VMX(or SVM), it is possible to do analysis at
>>>> instruction level? for example, intercept call/jmp, mov etc.  For
>>>> virtualization tools which use binary translation, we are able to do
>>>> that. In XEN, it's still possible?  I assume the nature of
>>>> para-virtualization and VMX does not provide such mechanism(users are
>>>> allowed to register new vm_exit events?).   Modify compiler(or guest
>>>> OS) to generate vm_exit for particular instructions? even that it
>>>> cannot work for HVM.  Maybe for API-level, things are easier..
>>>>
>>>> The motivation to do instruction-level analysis is OS level info such
>>>> as page table is coarse-grained.
>>>>
>>>> I really appreciate your suggestions and help.
>>>>
>>>> Best,
>>>> Liu
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-devel
>>>>
>>
>>
>
>



-- 
Liu

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.