Hell all, I am doing some research work on protecting Xen''s data structures. I know there is a direct-map area(about 12M), in which we can get the physical address of the data structure from its virtual address. My question is : are the stack and the heap of Xen both located in this direct-map area? Since I need protect stack and heap data, so it is easy to identify their physical addresses if they are both in this area. Thanks. -- Best Regards, Baozeng Ding OSTG,NFS,ISCAS
At 17:30 +0800 on 14 Jun (1339695001), Baozeng wrote:> Hell all, > > I am doing some research work on protecting Xen''s data structures. > I know there is a direct-map area(about 12M), in which we can get the > physical address of the data structure from its virtual address. My > question is : are the stack and the heap of Xen both located in this > direct-map area?On 32-bit x86, anything allocated with alloc_xenheap_* or xmalloc() is in that area (and that includes Xen''s stacks). Anything allocated with alloc_domheap_* is not. Also the frametable and M2P are mapped separately. The details are in include/asm-x86/config.h. Cheers, Tim.
2012/6/14 Tim Deegan <tim@xen.org>:> At 17:30 +0800 on 14 Jun (1339695001), Baozeng wrote: >> Hell all, >> >> I am doing some research work on protecting Xen''s data structures. >> I know there is a direct-map area(about 12M), in which we can get the >> physical address of the data structure from its virtual address. My >> question is : are the stack and the heap of Xen both located in this >> direct-map area? > > On 32-bit x86, anything allocated with alloc_xenheap_* or xmalloc() is > in that area (and that includes Xen''s stacks). Anything allocated with > alloc_domheap_* is not. Also the frametable and M2P are mapped > separately. The details are in include/asm-x86/config.h. >I see. I want to monitor Xen''s data structures in a trusted VM(dom0). One challenge is how to make dom0 can read Xen''s data structure (just read, do not need to write). Since Xen has more privilege, dom0 cannot read its data directly. Can we set up appropriate hypervisor-page tables for dom0 that map Xen''s relevant physical (or virtual) memory areas? How to do that? Do we need modify Xen''s code? or just the dom0''s code?> Cheers, > > Tim.-- Best Regards, Baozeng Ding OSTG,NFS,ISCAS
At 15:15 +0800 on 15 Jun (1339773354), Baozeng wrote:> I see. I want to monitor Xen''s data structures in a trusted VM(dom0).I don''t understand. Given that Xen controls dom0 entirely, how can it monitor Xen''s datastructures?> One challenge is how to make dom0 can read Xen''s data structure (just > read, do not need to write). Since Xen has more privilege, dom0 cannot > read its data directly. Can we set up appropriate hypervisor-page > tables for dom0 that map Xen''s relevant physical (or virtual) memory > areas? How to do that? Do we need modify Xen''s code? or just the > dom0''s code?You would need to modify Xen (to allow dom0 to have read-only mappings of all memory) and dom0 (to understand Xen well enough to follow its datastructures). But since a compromised Xen could lie to dom0 about its pagetables, this seems like a very weak kind of security -- especially compared with something like HyperSafe or CloudVisor that uses a _more_ privileged element to protect the hypervisor. Tim.