Hi George,
Thank you for the suggestions. My purpose is only want to watch what
guest is doing, but also modify its execution. For example, rewrite
operand of call *** instruction. It seems there is no a general way
to do this(without modifying guest OS), which is natural since XEN is
meant to be a hypervisor instead of analysis tool.
VMSafe is SDK of VMWARE for guest security inspection. I think guests
running on XEN also have security concerns. It *might* be a good idea
to add security analysis tools that are not part of the hypervisor. I
am working on isolating malicious drivers into different address
space(s) so that malicious behaviors cannot impact guest OS.
Thanks,
John(Zhi)
2011/7/8 George Dunlap <george.dunlap@xxxxxxxxxxxxx>:
> Please reply to the list, so that everyone can benefit from our discussion.
> :-)
> -George
>
> On 07/07/2011 04:27 PM, John Liu wrote:
>>
>> Hi George,
>>
>> Thank you for the suggestions. My purpose is only want to watch what
>> guest is doing, but also modify its execution. For example, rewrite
>> operand of call *** instruction. It seems there is no a general way
>> to do this, which is natural since XEN is meant to be a hypervisor
>> instead of analysis tool.
>>
>> VMSafe is SDK of VMWARE for guest security inspection. I think guests
>> running on XEN also have security concerns. It *might* be a good idea
>> to add security analysis tools that are not part of the hypervisor. I
>> am working on isolating malicious drivers into different address
>> space(s) so that malicious behaviors cannot impact guest OS.
>>
>> Thanks,
>> John(Zhi)
>>
>>
>> 2011/7/7 George Dunlap<George.Dunlap@xxxxxxxxxxxxx>:
>>>
>>> Do you just want to see what the guest was doing?
>>>
>>> If so, you might look at a rather obscure debugging feature of the
>>> processors called "Branch Trace Store" (BTS). Basically you set up
>>> some registers to point to an area of memory, and every time the cpu
>>> executes a branch, the BTS microcode will write the source and
>>> destination of those branches into the buffer. When the buffer
>>> reaches a certain threshold, it will generate an exception, and the
>>> store can be emptied.
>>>
>>> You'd have to do your own modifications to Xen to deal with this. I
>>> have some ancient (~2006) code I could give you for inspiration, but
>>> you're still going to need to basically implement the whole thing from
>>> scratch.
>>>
>>> Let me know if you want the code, and I'll give you a pointer to it.
>>> (Very much "as-is, caveat emptor" at this point.)
>>>
>>> -George
>>>
>>> On Thu, Jul 7, 2011 at 4:20 AM, John Liu<bradevuu@xxxxxxxxx> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm going to use XEN to do some security analysis.
>>>>
>>>> In the context of VMX(or SVM), it is possible to do analysis at
>>>> instruction level? for example, intercept call/jmp, mov etc. For
>>>> virtualization tools which use binary translation, we are able to do
>>>> that. In XEN, it's still possible? I assume the nature of
>>>> para-virtualization and VMX does not provide such mechanism(users are
>>>> allowed to register new vm_exit events?). Modify compiler(or guest
>>>> OS) to generate vm_exit for particular instructions? even that it
>>>> cannot work for HVM. Maybe for API-level, things are easier..
>>>>
>>>> The motivation to do instruction-level analysis is OS level info such
>>>> as page table is coarse-grained.
>>>>
>>>> I really appreciate your suggestions and help.
>>>>
>>>> Best,
>>>> Liu
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-devel
>>>>
>>
>>
>
>
--
Liu
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home