WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] possible to do analysis at instruction level?

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] possible to do analysis at instruction level?
From: "John(Zhi) Liu" <bradevuu@xxxxxxxxx>
Date: Fri, 8 Jul 2011 10:37:27 -0400
Delivery-date: Fri, 08 Jul 2011 07:38:35 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=GvbnUSp80joNcAKtFLy+HNgTqGbuxTHJArcVVdPKDXI=; b=nP43rWnkLS5cg4lL9lhV9VWh/DJku+3lC1CQlufz0pCSr8MVoj0DayuhsJcORbhN+N muB8ZEb3gyNapAU/7FrJvEFqUEBueGCYDIh4LqQ5lK4qLpRN1iIpbqiRbq/h/DLAYWcr tc2Nc+7pDBY7Oglj5966JBQY0SE0k+HJFsmmg=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4E16C395.6070305@xxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <CADpQrfQt07V2iRb6Durc_kn_tEVZG6f47sRz3RT1TLoQrJtf_A@xxxxxxxxxxxxxx> <CAFLBxZYohB-_fm4nWxsLBqQzH-Lfr+on06KrjpLPn4gdiKzNtg@xxxxxxxxxxxxxx> <CADpQrfThg+iU1q0zfonLSTYLsQtzk-ZG++unNFrgO4LUgnO3kA@xxxxxxxxxxxxxx> <4E16C395.6070305@xxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Hi George,

Thank you for the suggestions. My purpose is only want to watch what
guest is doing, but also modify its execution. For example, rewrite
operand of call *** instruction.  It seems there is no a general way
to do this(without modifying guest OS), which is natural since XEN is
meant to be a hypervisor instead of analysis tool.

VMSafe is SDK of VMWARE for guest security inspection. I think guests
running on XEN also have security concerns. It *might* be a good idea
to add security analysis tools that are not part of the hypervisor. I
am working on isolating malicious drivers into different address
space(s) so that malicious behaviors cannot impact guest OS.

Thanks,
John(Zhi)



2011/7/8 George Dunlap <george.dunlap@xxxxxxxxxxxxx>:
> Please reply to the list, so that everyone can benefit from our discussion.
> :-)
>  -George
>
> On 07/07/2011 04:27 PM, John Liu wrote:
>>
>> Hi George,
>>
>> Thank you for the suggestions. My purpose is only want to watch what
>> guest is doing, but also modify its execution. For example, rewrite
>> operand of call *** instruction.  It seems there is no a general way
>> to do this, which is natural since XEN is meant to be a hypervisor
>> instead of analysis tool.
>>
>> VMSafe is SDK of VMWARE for guest security inspection. I think guests
>> running on XEN also have security concerns. It *might* be a good idea
>> to add security analysis tools that are not part of the hypervisor. I
>> am working on isolating malicious drivers into different address
>> space(s) so that malicious behaviors cannot impact guest OS.
>>
>> Thanks,
>> John(Zhi)
>>
>>
>> 2011/7/7 George Dunlap<George.Dunlap@xxxxxxxxxxxxx>:
>>>
>>> Do you just want to see what the guest was doing?
>>>
>>> If so, you might look at a rather obscure debugging feature of the
>>> processors called "Branch Trace Store" (BTS).  Basically you set up
>>> some registers to point to an area of memory, and every time the cpu
>>> executes a branch, the BTS microcode will write the source and
>>> destination of those branches into the buffer.  When the buffer
>>> reaches a certain threshold, it will generate an exception, and the
>>> store can be emptied.
>>>
>>> You'd have to do your own modifications to Xen to deal with this.  I
>>> have some ancient (~2006) code I could give you for inspiration, but
>>> you're still going to need to basically implement the whole thing from
>>> scratch.
>>>
>>> Let me know if you want the code, and I'll give you a pointer to it.
>>> (Very much "as-is, caveat emptor" at this point.)
>>>
>>>  -George
>>>
>>> On Thu, Jul 7, 2011 at 4:20 AM, John Liu<bradevuu@xxxxxxxxx>  wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm going to use XEN to do some security analysis.
>>>>
>>>> In the context of VMX(or SVM), it is possible to do analysis at
>>>> instruction level? for example, intercept call/jmp, mov etc.  For
>>>> virtualization tools which use binary translation, we are able to do
>>>> that. In XEN, it's still possible?  I assume the nature of
>>>> para-virtualization and VMX does not provide such mechanism(users are
>>>> allowed to register new vm_exit events?).   Modify compiler(or guest
>>>> OS) to generate vm_exit for particular instructions? even that it
>>>> cannot work for HVM.  Maybe for API-level, things are easier..
>>>>
>>>> The motivation to do instruction-level analysis is OS level info such
>>>> as page table is coarse-grained.
>>>>
>>>> I really appreciate your suggestions and help.
>>>>
>>>> Best,
>>>> Liu
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>>> http://lists.xensource.com/xen-devel
>>>>
>>
>>
>
>



-- 
Liu

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>