WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xense-devel] xenwatch and xenswitch processes

from [Bryan D. Payne] [Permanent Link][Original]
To: "Joop Boonen" <joop_boonen@xxxxxx>
Subject: Re: [Xense-devel] xenwatch and xenswitch processes
From: "Bryan D. Payne" <bryan@xxxxxxxxxxxx>
Date: Tue, 18 Jul 2006 08:41:07 -0400
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 18 Jul 2006 05:41:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <36454.62.140.134.15.1153223150.squirrel@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References: <36454.62.140.134.15.1153223150.squirrel@xxxxxxxxxxxxxxxxxxxxx>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
I have the following question. I've used xen what i see in a DomU is the 
xenswitch and xenwatch processes. When i have users on a system or a
firewall on DomU is hacked they know it's running on xen. Is there a way 
to not show/hide these processes?
While you might be able to hide the processes (e.g., using a rootkit), I think that there's a larger issue here. It sounds like you're goal is to completely hide the fact that a machine is running in a domU. And, for better or worse, this is very hard to do.
Consider, for example, Red Pill. This small program can detect when it's running in a virtualized environment: 

http://invisiblethings.org/papers/redpill.html

Cheers,
bryan


-
Bryan D. Payne
Graduate Student, Computer Science
Georgia Tech Information Security Center
http://www.bryanpayne.org

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xense-devel] xenwatch and xenswitch processes, Joop Boonen
Next by Date:  Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver, Reiner Sailer
Previous by Thread:  [Xense-devel] xenwatch and xenswitch processes, Joop Boonen
Next by Thread:  Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver, Reiner Sailer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy