> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> Abhinav Srivastava
> Sent: 13 November 2006 20:18
> To: xen-devel
> Subject: Re: [Xen-devel] Re: How to intercept memory operation in Xen
>
>
> Thanks for your reply.
>
> I know if user based application access to Kernel space
> memory, they will get the segfault. However, in many cases,
> there are vulnerabilities in the kernel and
> that allows the hackers to write to the portion of kernel
> memory that could give them root privileges or arbitrary code
> execution. I would like to know the address at which
> applications are writing and if i could get the address of
> that memory location in dom0, i can check whether this
> address belongs to kernel memory or user memory. If it is the
> part of kernel memory, it should not be allowed.
But those, generally, happen in kernel mode, so it's not actually
user-mode code writing to kernel memory, but rather the kernel.
Something like this:
In user-mode:
some_system_call(buffer, 2123); /* 123 bytes too many! */
...
In kernel:
some_system_call(char *buffer, int size)
{
char temp_buffer[2000];
for(n =0; n < size; n++)
temp_buffer[n] = buffer[n];
}
Obviously, this _SHOULD_ be range-checked to ensure that the size is
less than or equal to sizeof(temp_buffer), but it isn't done, so the
calling code can cause some data on the stack to be overwritten. The
code in the kernel is often much more complex than this, but that is not
changing the way it works, just how hard it is to spot the problem.
There are obviously many different variants on this theme, but the
conclusion is that the user-mode code is prevented from writing to
kernel memory - however, kernel code can, should and will write to
kernel memory - it just shouldn't have bugs.
I very much doubt that any process that intercepts memory operations
generically will be able to catch this. There are functionality in the
compiler to automagically range-check stack usage and array usage, which
is probably a more efficient method of figuring these things out.
Of course, you may think of some other types of vulnerabilities - but I
think 99% of all User-mode writing kernel memory is actually making use
of code within the kernel, rather than accessing kernel memory from
user-mode as such.
--
Mats
>
> So, in a sense I do not want to distinguish good/bad page
> faults. It is like page fault happens but for what address.
> Please let me know if i am soundig correct or not.
>
> Can you please let me know if I would want to achieve this,
> how i should start? Is this difficult to achieve?
>
> Also, I would like to know how to intercept hypercalls and
> system calls in Xen? It could be useful to provide system
> call and hypercalls logging mechanism. It would be great if
> you could provide me some pointers to start with.
>
> Thanks,
> Abhi
>
> Anthony Liguori <aliguori@xxxxxxxxxx> wrote:
>
> Abhinav Srivastava wrote:
> >
> > Hi all,
> >
> > I am new to the Xen and currently using Xen 3.0.3. My
> goal is to provide
> > memory logging facility in Dom0. If any guest domain
> (DomU) application
> > tries to access any memory area, I would like to know
> in dom0 what area
> > they are accessing. So that if any user space
> applications try to access
> > kernel memory then i can see in dom0 and using my
> detection system, i
> > can say that it is illegal memory request as user
> space applications are
> > not allowed to use kernel memory. I have three Qs
> related to this:
>
> You would have a much easier time just modifying the
> Linux kernel. Xen
> isn't going to help you much here.
>
> > 1) Is this doable?
>
> Exceptions do go through the hypervisor however page
> faults are not
> usually a sign of something bad happening. Linux, for
> instance, uses
> copy-on-write and on-demand paging which means in many
> circumstances,
> page faults are not a sign of misuse of memory.
>
> I don't think there's any generic way of identifying
> whether a page
> fault is a "good" page fault or a "bad" page fault at
> the hypervisor
> level. The hypervisor merely forwards the fault to the
> guest and the
> guest then decides what action to take (update a page
> table, kill a
> process, etc.). To complicate matters further, some
> apps catch SEGV and
> handle it themselves. That makes the potential recovery
> behavior
> totally non-deterministic. You could potentially try to track
> heuristically whether a PTE update occurs after a page
> fault at the
> hypervisor level but that would be easily defeatable
> (which means it
> isn't useful for an IDS system). At the end of the day,
> you really have
> to modify the domU kernel.
>
> You should look at some of the bug reporting tools in
> Linux. They seem
> to be doing something to hook all process crashes.
> Ubuntu has a new bug
> crash tool that you could probably start with. This
> would put you in
> domU userspace though...
>
> Regards,
>
> Anthony Liguori
>
> > 2) If yes, how should I start with? Do i need to
> intercept hypercalls?
> > If yes, how to do this?
> >
> > 3) To intercept memory operation, do i need to change
> in the Xen code?
> > If yes, it would be great if you could point me exact
> file where changes
> > are to be made.
> >
> > 4) Can it be done using some application or IDS in
> dom0 with some hooks
> > without changing the Xen code?
> >
> > I would really appreciate your help.
> >
> > Thanks,
> > Abhi
> >
> >
> --------------------------------------------------------------
> ----------
> > Find out what India is talking about on - Yahoo!
> Answers India
> >
> > Send FREE SMS to your friend's mobile from Yahoo!
> Messenger Version 8.
> > Get it NOW
> >
> >
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
>
>
>
> ________________________________
>
> Find out what India is talking about on - Yahoo! Answers
> India
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.ya
> hoo.com/>
> Send FREE SMS to your friend's mobile from Yahoo! Messenger
> Version 8. Get it NOW
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.me
> ssenger.yahoo.com>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|