WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] How to intercept memory operation in Xen

To: "Abhinav Srivastava" <abhinavs_iitkgp@xxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] How to intercept memory operation in Xen
From: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
Date: Mon, 13 Nov 2006 19:08:01 +0100
Delivery-date: Mon, 13 Nov 2006 10:09:15 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20061113172557.34567.qmail@xxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AccHSOHWAZ+QEpr8T9G9E0vcQnxubAAABYKw
Thread-topic: [Xen-devel] How to intercept memory operation in Xen
 

> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Abhinav Srivastava
> Sent: 13 November 2006 17:26
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-devel] How to intercept memory operation in Xen
> 
> 
> Hi all,
> 
> I am new to the Xen and currently using Xen 3.0.3. My goal is 
> to provide memory logging facility in Dom0. If any guest 
> domain (DomU) application tries to access any memory area, I 
> would like to know in dom0 what area they are accessing. So 
> that if any user space applications try to access kernel 
> memory then i can see in dom0 and using my detection system, 
> i can say that it is illegal memory request as user space 
> applications are not allowed to use kernel memory. I have 
> three Qs related to this:
> 
> 1) Is this doable?

Yes and no. There is already this check in Linux, so I guess you'd have
to undo that check first, which would probably break a few things, which
makes it a lot harder... 

If I write in a (32-bit x86) application:

int main() {
        int *p = (int *) 0xc0100000;  /* Typical kernel address */

        *p = 47;
} 
This application would seg-fault. 


> 
> 2) If yes, how should I start with? Do i need to intercept 
> hypercalls? If yes, how to do this?

Probably not in itself. You'd have to modify the memory handling within
Xen to capture accesses to memory. 
> 
> 3) To intercept memory operation, do i need to change in the 
> Xen code? If yes, it would be great if you could point me 
> exact file where changes are to be made.

Yes, you need to set every page read-only, and on the page-fault that
occurs when you get a write, you need to fix up the fault, then somehow
fix it back again to be read-only. The easiest way of doing that is
probably to use the x86_emulate.c to emulate the instruction. The
page-fault caused by a memory access to read-only memory ends up in
traps.c. 

> 
> 4) Can it be done using some application or IDS in dom0 with 
> some hooks without changing the Xen code?

Well, as I started out, Linux already prevents user-mode access to
kernel memory as it is, so I'm not sure exactly what you're trying to
fix... 

I presume you don't mean pages that are mapped BOTH to User-mode and
Kernel-mode. It is entirely possible and valid for the kernel to have a
different mapping than the user-mode code for the same memory area, and
it's entirely possible, but not particularly good practice, to share
access between those two mappings. Say for example we have some code
that does this:

void some_func(...)
{
        char *b = malloc(512);

        fd = open(somefile, O_NONBLOCK);        
        write(fd, b, 512);
        free(b);
        close(fd);
}

Now, consider that the write may not have finished by the time we free
the buffer. What should the kernel do at this time? Abort the write -
perhaps not possible, we may have STARTED it. 

The safe thing to do is to either copy the data, or map it a second
time, and when the free-call is made, it's only freeing the user-visible
side of the memory allocation, leaving the kernel mode one still valid.
[I'm not saying that this is how it's done in Linux, just saying that
it's POSSIBLE]. 

--
Mats
> 
> I would really appreciate your help.
> 
> Thanks,
> Abhi
> 
> 
> ________________________________
> 
> Find out what India is talking about on - Yahoo! Answers 
> India 
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.ya
> hoo.com/>  
> Send FREE SMS to your friend's mobile from Yahoo! Messenger 
> Version 8. Get it NOW 
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.me
> ssenger.yahoo.com> 
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>