WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Using Xeno for Security Monitoring/Honeypots

To: <xen-devel@xxxxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Using Xeno for Security Monitoring/Honeypots
From: "Barry Silverman" <barry@xxxxxxxxx>
Date: Thu, 13 Nov 2003 12:32:15 -0500
Delivery-date: Thu, 13 Nov 2003 17:30:56 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
Importance: Normal
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
I am a current user of UML as a means for securely logging and monitoring
Honeypot linuxes. UML has a number of features for jailing instances, or for
logging the use of system calls in a manner that can't be interfered with by
the guest OS.

After looking at Xeno, I am quite intrigued with its architecture and
performance vs UML. The hypervisor looks capable of securely logging and
alerting the outside world in a manner that a compromised guest cannot
detect or alter.

The state of the art in computer intrusion precludes the use of network
sniffing (as the intruder's traffic is encrypted using a private static
ssh), or trojaning logging calls into shells (as the intruders typically
supply their own static sash). The OS needs to have a mechanism for secretly
monitoring the plain-text commands that an intruder is executing.

How, in Xen, can you log kinds of activity (EG 'exec calls' including
arguments, or read/write calls to certain file descriptors)? My
understanding of how Xen works is that is allows the guest OS to directly
handle its own system call traps, and won't be able to intercept the system
calls executed by the intruder.

Merely trapping the system calls may not be enough. If an intruder (with
root access to the guest OS) is aware of these strategies, then they can
create there own Kernel Modules (which can be loaded even if LKM's aren't
configured), that have entry points to the underlying kernel code for
read/write/exec, and can call them using some other API than a system call
trap.

I was wondering whether the Hypervisor can enable the 386 hardware debugging
trap registers, and use those to transparently find when the kernel is
executing a suitable low-level piece of kernel code, and then log that?







-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>