WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Using Xeno for Security Monitoring/Honeypots

To: "Barry Silverman" <barry@xxxxxxxxx>
Subject: Re: [Xen-devel] Using Xeno for Security Monitoring/Honeypots
From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>
Date: Fri, 14 Nov 2003 14:13:44 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx
Delivery-date: Fri, 14 Nov 2003 14:14:25 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: Your message of "Thu, 13 Nov 2003 12:32:15 EST." <IGEMLBGAECDFPIKMIMLCIEBDCFAA.barry@xxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
> I am a current user of UML as a means for securely logging and monitoring
> Honeypot linuxes. UML has a number of features for jailing instances, or for
> logging the use of system calls in a manner that can't be interfered with by
> the guest OS.
> 
> After looking at Xeno, I am quite intrigued with its architecture and
> performance vs UML. The hypervisor looks capable of securely logging and
> alerting the outside world in a manner that a compromised guest cannot
> detect or alter.

Our preferred mechanism would be that the hypervisor sends log
messages to a privileged (non honey pot) domain (e.g. domain0),
then figures out what to do with them.
 
> How, in Xen, can you log kinds of activity (EG 'exec calls' including
> arguments, or read/write calls to certain file descriptors)? My
> understanding of how Xen works is that is allows the guest OS to directly
> handle its own system call traps, and won't be able to intercept the system
> calls executed by the intruder.

There's a couple of people currently thinking about how to use
for kernel debugging, fault injection and such like. The plan is
to put together a standard interface to enable a privileged
domain to 'mess with' other domains. Trapping system calls etc
should be considered as part of that work.

> Merely trapping the system calls may not be enough. If an intruder (with
> root access to the guest OS) is aware of these strategies, then they can
> create there own Kernel Modules (which can be loaded even if LKM's aren't
> configured), that have entry points to the underlying kernel code for
> read/write/exec, and can call them using some other API than a system call
> trap.
> 
> I was wondering whether the Hypervisor can enable the 386 hardware debugging
> trap registers, and use those to transparently find when the kernel is
> executing a suitable low-level piece of kernel code, and then log that?

Some thought is required, but the debug interface should
certainly aim to support this kind of functionality. Help wanted ;-)

Cheers,
Ian


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>