[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] (no subject)


I'm finally to a point where I can start looking at this more closely. I'm trying to wrap my head around the shadow code to figure out the right course of action.

I'd want HVMOP_set_mem_access to work with both shadow and EPT, so I'd want things to work via p2m somehow. I think I understand this part.

* HVMOP_set_mem_access is used to change the p2m_access_t for the target page(s). This should already be implemented I think?
* During propagation, I'll check the p2m map to see if I should mask off any permission bits.
* On a shadow paging fault, I'll check if the fault was caused by p2m permissions, somehow integrating that with the code for read-only guest page tables safely.


* Just for background, am I correct in my understanding that the log_dirty code is used to track which gfns have been written to by the guest, in order to speed up migration?
* Are multiple shadow tables maintained per domain? Is there one per VCPU? One shadow table per guest page table? Is it blown away every time the guest changes CR3? I'm having some trouble tracking this down.
* How should I clear/update existing shadow entries after changing the p2m_access_t? Can I clear the shadow tables somehow and force everything to be repopulated? Is that insane?


On Thu, Nov 15, 2012 at 7:08 AM, Tim Deegan <tim@xxxxxxx> wrote:
Bcc: Tim Deegan <tjd-xen@xxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Guest memory access hooking
In-Reply-To: <CAG4Ohu_p-vVF9ZS01PeMqHvscCrrO+UDawK-noaaP8k+MuqHrQ@xxxxxxxxxxxxxx>


At 10:56 -0500 on 13 Nov (1352804161), Cutter 409 wrote:
> I'm trying to do some research with malware, and I'm trying to get
> notifications on arbitrary guest page accesses (similar to what Ether
> does.) I've noticed the mem-event API and it seems like it might be close
> to what I need, but I can't find much documentation about how it works or
> how to use it.

Yes, the mem-event api, and in particular the HVMOP_set_mem_access
hypercall, looks like what you want.  As you say, there isn't much
documentation for it, except the xen-access.c client and the mailing
list archive.

CC'ing Aravindh, who has worked on this code most recently and might be
able to help with specific questions.

> I know that that mem-event API works only with EPT, but is the code to
> change permissions modifying the guest page tables, or does it work via
> EPT? (Can the guest detect it?)

It works by EPT.  The guest can't detect it by looking at its pagetables
or page fault patterns, though it might be able to detect it by looking
at timings.

> I'm also interested monitoring arbitrary page access via the shadow page
> tables. I've been reading through the code, but if anyone has any insight
> or some kind of push in the right direction, I'd really appreciate it.

Your best bet is to modify _sh_propagate.  Look at how it handles
shadow_mode_log_dirty() -- any time a writeable mapping is shadowed, the
shadow PTE is made read-only until the guest is actually doing a write,
then mark_dirty can be called.  You should be able to do the same thing
for other kinds of access.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.