Xen devel - Nov 2003 - Using Xeno for Security Monitoring/Honeypots

I am a current user of UML as a means for securely logging and monitoring
Honeypot linuxes. UML has a number of features for jailing instances, or for
logging the use of system calls in a manner that can''t be interfered
with by
the guest OS.

After looking at Xeno, I am quite intrigued with its architecture and
performance vs UML. The hypervisor looks capable of securely logging and
alerting the outside world in a manner that a compromised guest cannot
detect or alter.

The state of the art in computer intrusion precludes the use of network
sniffing (as the intruder''s traffic is encrypted using a private static
ssh), or trojaning logging calls into shells (as the intruders typically
supply their own static sash). The OS needs to have a mechanism for secretly
monitoring the plain-text commands that an intruder is executing.

How, in Xen, can you log kinds of activity (EG ''exec calls''
including
arguments, or read/write calls to certain file descriptors)? My
understanding of how Xen works is that is allows the guest OS to directly
handle its own system call traps, and won''t be able to intercept the
system
calls executed by the intruder.

Merely trapping the system calls may not be enough. If an intruder (with
root access to the guest OS) is aware of these strategies, then they can
create there own Kernel Modules (which can be loaded even if LKM''s
aren''t
configured), that have entry points to the underlying kernel code for
read/write/exec, and can call them using some other API than a system call
trap.

I was wondering whether the Hypervisor can enable the 386 hardware debugging
trap registers, and use those to transparently find when the kernel is
executing a suitable low-level piece of kernel code, and then log that?







-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> I am a current user of UML as a means for securely logging and monitoring
> Honeypot linuxes. UML has a number of features for jailing instances, or
for
> logging the use of system calls in a manner that can''t be
interfered with by
> the guest OS.
> 
> After looking at Xeno, I am quite intrigued with its architecture and
> performance vs UML. The hypervisor looks capable of securely logging and
> alerting the outside world in a manner that a compromised guest cannot
> detect or alter.
Our preferred mechanism would be that the hypervisor sends log
messages to a privileged (non honey pot) domain (e.g. domain0),
then figures out what to do with them.
 
> How, in Xen, can you log kinds of activity (EG ''exec
calls'' including
> arguments, or read/write calls to certain file descriptors)? My
> understanding of how Xen works is that is allows the guest OS to directly
> handle its own system call traps, and won''t be able to intercept
the system
> calls executed by the intruder.
There''s a couple of people currently thinking about how to use
for kernel debugging, fault injection and such like. The plan is
to put together a standard interface to enable a privileged
domain to ''mess with'' other domains. Trapping system calls etc
should be considered as part of that work.
> Merely trapping the system calls may not be enough. If an intruder (with
> root access to the guest OS) is aware of these strategies, then they can
> create there own Kernel Modules (which can be loaded even if LKM''s
aren''t
> configured), that have entry points to the underlying kernel code for
> read/write/exec, and can call them using some other API than a system call
> trap.
> 
> I was wondering whether the Hypervisor can enable the 386 hardware
debugging
> trap registers, and use those to transparently find when the kernel is
> executing a suitable low-level piece of kernel code, and then log that?
Some thought is required, but the debug interface should
certainly aim to support this kind of functionality. Help wanted ;-)

Cheers,
Ian


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel