Hi I am looking for a mechanism to gather information about system calls that a guest Operating system is making. Any references for development of IDS''s with Xen would also help. Thanks Sanjam --------------------------------- Don''t pick lemons. See all the new 2007 cars at Yahoo! Autos. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
> -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of > Sanjam Garg > Sent: 28 February 2007 17:38 > To: xen-devel@lists.xensource.com > Subject: [Xen-devel] xen strace analysis > > Hi > > I am looking for a mechanism to gather information about > system calls that a guest Operating system is making. Any > references for development of IDS''s with Xen would also help.Xen doesn''t have any clue what system calls the guest-OS is making (and should not know this). Xen itself only gets involved for certain special operations which, generally, either deal with page-table (memory-mapping) handling or inter-domain communication (event-channel), and of course domain life-cycle (creating, destroying, pausing and unpausing, save and restore, and migration). With a few other exceptions, everything else is handled within the guest itself. That''s for the para-virtual case. In a fully-virtualized domain, there''s even less knowledge of what''s going on in the guest. So whilst the hypervisor may be able to surmise from this knowledge that a guest changed its pagetables around, it''s not sufficiently aware of WHY to say whether that was done because of a fork, mmap or malloc call for example. It can determine that some communication happened between the guest and dom0, but not whether it''s a file-read or a socket network operation, etc, etc. The only way to know what the guest is doing is to sit inside the guest-OS and perform something like strace (I think there are some ways to do a "system-wide strace", so you''d see exactly which system calls are done by which process). -- Mats> > Thanks > Sanjam > > > ________________________________ > > Don''t pick lemons. > See all the new 2007 cars > <http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at Yahoo! Autos. <http://autos.yahoo.com/new_cars.html;> _ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb> mV3Y2Fycw--> >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Hi Thanks for the quick reply. These is an issue here. Since I intend to do system call analysis, doing it from within domU prevents my IDS to be independent of the kernel integrity. Doing it in the dom0 and using a small agent in the domU does not help assure that information received form domU is not tainted. I understand that direct information of system call is not possible. Nonetheless, is there a way I can extrapolate information about the system call analysis from the low level information in Xen. UML(User Mode Linux) does helpachieve such functinality as per the paper. (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf) Sanjam "Petersson, Mats" <Mats.Petersson@amd.com> wrote:> -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of > Sanjam Garg > Sent: 28 February 2007 17:38 > To: xen-devel@lists.xensource.com > Subject: [Xen-devel] xen strace analysis > > Hi > > I am looking for a mechanism to gather information about > system calls that a guest Operating system is making. Any > references for development of IDS''s with Xen would also help.Xen doesn''t have any clue what system calls the guest-OS is making (and should not know this). Xen itself only gets involved for certain special operations which, generally, either deal with page-table (memory-mapping) handling or inter-domain communication (event-channel), and of course domain life-cycle (creating, destroying, pausing and unpausing, save and restore, and migration). With a few other exceptions, everything else is handled within the guest itself. That''s for the para-virtual case. In a fully-virtualized domain, there''s even less knowledge of what''s going on in the guest. So whilst the hypervisor may be able to surmise from this knowledge that a guest changed its pagetables around, it''s not sufficiently aware of WHY to say whether that was done because of a fork, mmap or malloc call for example. It can determine that some communication happened between the guest and dom0, but not whether it''s a file-read or a socket network operation, etc, etc. The only way to know what the guest is doing is to sit inside the guest-OS and perform something like strace (I think there are some ways to do a "system-wide strace", so you''d see exactly which system calls are done by which process). -- Mats> > Thanks > Sanjam > > > ________________________________ > > Don''t pick lemons. > See all the new 2007 cars > TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at Yahoo! Autos._ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb> mV3Y2Fycw--> >--------------------------------- 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
> -----Original Message----- > From: Sanjam Garg [mailto:sanjamg@yahoo.com] > Sent: 28 February 2007 18:09 > To: Petersson, Mats > Cc: xen-devel@lists.xensource.com > Subject: RE: [Xen-devel] xen strace analysis > > Hi > > Thanks for the quick reply. These is an issue here. Since I > intend to do system call analysis, doing it from within domU > prevents my IDS to be independent of the kernel integrity. > Doing it in the dom0 and using a small agent in the domU does > not help assure that information received form domU is not > tainted. I understand that direct information of system call > is not possible. Nonetheless, is there a way I can > extrapolate information about the system call analysis from > the low level information in Xen. > UML(User Mode Linux) does helpachieve such functinality as > per the paper. > (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf)But Xen doesn''t have any idea what the system calls are - there''s no interaction into Xen when most system calls are performed - so how will Xen help you then? It''s like lying in a tunnel under the road trying to determine from the noise the tyres make what make of car is driving on the road above - you may be able to tell the difference between a lorry (large truck) and a ordinary car, but not between a Mercedes, Ford, Volvo or BMW. You will have to use some other method. -- Mats> > > Sanjam > > "Petersson, Mats" <Mats.Petersson@amd.com> wrote: > > > > > -----Original Message----- > > From: xen-devel-bounces@lists.xensource.com > > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of > > Sanjam Garg > > Sent: 28 February 2007 17:38 > > To: xen-devel@lists.xensource.com > > Subject: [Xen-devel] xen strace analysis > > > > Hi > > > > I am looking for a mechanism to gather information about > > system calls that a guest Operating system is making. Any > > references for development of IDS''s with Xen would also help. > > Xen doesn''t have any clue what system calls the > guest-OS is making (and > should not know this). Xen itself only gets involved > for certain special > operations which, generally, either deal with page-table > (memory-mapping) handling or inter-domain communication > (event-channel), > and of course domain life-cycle (creating, destroying, > pausing and > unpausing, save and restore, and migration). With a few other > exceptions, everything else is handled within the guest > itself. That''s > for the para-virtual case. In a fully-virtualized > domain, there''s even > less knowledge of what''s going on in the guest. > > So whilst the hypervisor may be able to surmise from > this knowledge that > a guest changed its pagetables around, it''s not > sufficiently aware of > WHY to say whether that was done because of a fork, > mmap or malloc call > for example. It can determine that some communication > happened between > the guest and dom0, but not whether it''s a file-read or > a socket network > operation, etc, etc. > > The only way to know what the guest is doing is to sit > inside the > guest-OS and perform something like strace (I think > there are some ways > to do a "system-wide strace", so you''d see exactly > which system calls > are done by which process). > > -- > Mats > > > > Thanks > > Sanjam > > > > > > ________________________________ > > > > Don''t pick lemons. > > See all the new 2007 cars > > TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at > Yahoo! Autos. > > _ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb > > mV3Y2Fycw--> > > > > > > > > ________________________________ > > 8:00? 8:25? 8:40? Find a flick > <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news > > in no time > with theYahoo! Search movie showtime shortcut. > <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news> >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel