> -----Original Message-----
> From: Sanjam Garg [mailto:sanjamg@xxxxxxxxx]
> Sent: 28 February 2007 18:09
> To: Petersson, Mats
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Xen-devel] xen strace analysis
>
> Hi
>
> Thanks for the quick reply. These is an issue here. Since I
> intend to do system call analysis, doing it from within domU
> prevents my IDS to be independent of the kernel integrity.
> Doing it in the dom0 and using a small agent in the domU does
> not help assure that information received form domU is not
> tainted. I understand that direct information of system call
> is not possible. Nonetheless, is there a way I can
> extrapolate information about the system call analysis from
> the low level information in Xen.
> UML(User Mode Linux) does helpachieve such functinality as
> per the paper.
> (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf)
But Xen doesn't have any idea what the system calls are - there's no
interaction into Xen when most system calls are performed - so how will
Xen help you then? It's like lying in a tunnel under the road trying to
determine from the noise the tyres make what make of car is driving on
the road above - you may be able to tell the difference between a lorry
(large truck) and a ordinary car, but not between a Mercedes, Ford,
Volvo or BMW.
You will have to use some other method.
--
Mats
>
>
> Sanjam
>
> "Petersson, Mats" <Mats.Petersson@xxxxxxx> wrote:
>
>
>
> > -----Original Message-----
> > From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
> > [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> > Sanjam Garg
> > Sent: 28 February 2007 17:38
> > To: xen-devel@xxxxxxxxxxxxxxxxxxx
> > Subject: [Xen-devel] xen strace analysis
> >
> > Hi
> >
> > I am looking for a mechanism to gather information about
> > system calls that a guest Operating system is making. Any
> > references for development of IDS's with Xen would also help.
>
> Xen doesn't have any clue what system calls the
> guest-OS is making (and
> should not know this). Xen itself only gets involved
> for certain special
> operations which, generally, either deal with page-table
> (memory-mapping) handling or inter-domain communication
> (event-channel),
> and of course domain life-cycle (creating, destroying,
> pausing and
> unpausing, save and restore, and migration). With a few other
> exceptions, everything else is handled within the guest
> itself. That's
> for the para-virtual case. In a fully-virtualized
> domain, there's even
> less knowledge of what's going on in the guest.
>
> So whilst the hypervisor may be able to surmise from
> this knowledge that
> a guest changed its pagetables around, it's not
> sufficiently aware of
> WHY to say whether that was done because of a fork,
> mmap or malloc call
> for example. It can determine that some communication
> happened between
> the guest and dom0, but not whether it's a file-read or
> a socket network
> operation, etc, etc.
>
> The only way to know what the guest is doing is to sit
> inside the
> guest-OS and perform something like strace (I think
> there are some ways
> to do a "system-wide strace", so you'd see exactly
> which system calls
> are done by which process).
>
> --
> Mats
> >
> > Thanks
> > Sanjam
> >
> >
> > ________________________________
> >
> > Don't pick lemons.
> > See all the new 2007 cars
> > TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at
> Yahoo! Autos.
>
> _ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb
> > mV3Y2Fycw-->
> >
>
>
>
>
>
> ________________________________
>
> 8:00? 8:25? 8:40? Find a flick
> <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news
> > in no time
> with theYahoo! Search movie showtime shortcut.
> <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home