Xen devel - Nov 2006 - How to intercept memory operation in Xen

Hi all,

I am new to the Xen and currently using Xen 3.0.3. My goal is to provide memory
logging facility in Dom0. If any guest domain (DomU) application tries to access
any memory area, I would like to know in dom0 what area they are accessing. So
that if any user space applications try to access kernel memory then i can see
in dom0 and using my detection system, i can say that it is illegal memory
request as user space applications are not allowed to use kernel memory. I have
three Qs related to this:

1) Is this doable?

2) If yes, how should I start with? Do i need to intercept hypercalls? If yes,
how to do this?

3) To intercept memory operation, do i need to change in the Xen code? If yes,
it would be great if you could point me exact file where changes are to be made.

4) Can it be done using some application or IDS in dom0 with some hooks without
changing the Xen code?

I would really appreciate your help.

Thanks,
Abhi

 				
---------------------------------
 Find out what India is talking about on  - Yahoo! Answers India 
 Send FREE SMS to your friend''s mobile from Yahoo! Messenger Version 8.
Get it NOW

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> -----Original Message-----
> From: xen-devel-bounces@lists.xensource.com 
> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of 
> Abhinav Srivastava
> Sent: 13 November 2006 17:26
> To: xen-devel@lists.xensource.com
> Subject: [Xen-devel] How to intercept memory operation in Xen
> 
> 
> Hi all,
> 
> I am new to the Xen and currently using Xen 3.0.3. My goal is 
> to provide memory logging facility in Dom0. If any guest 
> domain (DomU) application tries to access any memory area, I 
> would like to know in dom0 what area they are accessing. So 
> that if any user space applications try to access kernel 
> memory then i can see in dom0 and using my detection system, 
> i can say that it is illegal memory request as user space 
> applications are not allowed to use kernel memory. I have 
> three Qs related to this:
> 
> 1) Is this doable?
Yes and no. There is already this check in Linux, so I guess you''d have
to undo that check first, which would probably break a few things, which
makes it a lot harder... 

If I write in a (32-bit x86) application:

int main() {
	int *p = (int *) 0xc0100000;  /* Typical kernel address */

	*p = 47;
} 
This application would seg-fault. 

> 
> 2) If yes, how should I start with? Do i need to intercept 
> hypercalls? If yes, how to do this?
Probably not in itself. You''d have to modify the memory handling within
Xen to capture accesses to memory. 
> 
> 3) To intercept memory operation, do i need to change in the 
> Xen code? If yes, it would be great if you could point me 
> exact file where changes are to be made.
Yes, you need to set every page read-only, and on the page-fault that
occurs when you get a write, you need to fix up the fault, then somehow
fix it back again to be read-only. The easiest way of doing that is
probably to use the x86_emulate.c to emulate the instruction. The
page-fault caused by a memory access to read-only memory ends up in
traps.c. 
> 
> 4) Can it be done using some application or IDS in dom0 with 
> some hooks without changing the Xen code?
Well, as I started out, Linux already prevents user-mode access to
kernel memory as it is, so I''m not sure exactly what you''re
trying to
fix... 

I presume you don''t mean pages that are mapped BOTH to User-mode and
Kernel-mode. It is entirely possible and valid for the kernel to have a
different mapping than the user-mode code for the same memory area, and
it''s entirely possible, but not particularly good practice, to share
access between those two mappings. Say for example we have some code
that does this:

void some_func(...)
{
	char *b = malloc(512);

	fd = open(somefile, O_NONBLOCK);	
	write(fd, b, 512);
	free(b);
	close(fd);
}

Now, consider that the write may not have finished by the time we free
the buffer. What should the kernel do at this time? Abort the write -
perhaps not possible, we may have STARTED it. 

The safe thing to do is to either copy the data, or map it a second
time, and when the free-call is made, it''s only freeing the
user-visible
side of the memory allocation, leaving the kernel mode one still valid.
[I''m not saying that this is how it''s done in Linux, just
saying that
it''s POSSIBLE]. 

--
Mats
> 
> I would really appreciate your help.
> 
> Thanks,
> Abhi
> 
> 
> ________________________________
> 
> Find out what India is talking about on - Yahoo! Answers 
> India 
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.ya
> hoo.com/>  
> Send FREE SMS to your friend''s mobile from Yahoo! Messenger 
> Version 8. Get it NOW 
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.me
> ssenger.yahoo.com> 
> 


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Abhinav Srivastava wrote:
> 
> Hi all,
> 
> I am new to the Xen and currently using Xen 3.0.3. My goal is to provide 
> memory logging facility in Dom0. If any guest domain (DomU) application 
> tries to access any memory area, I would like to know in dom0 what area 
> they are accessing. So that if any user space applications try to access 
> kernel memory then i can see in dom0 and using my detection system, i 
> can say that it is illegal memory request as user space applications are 
> not allowed to use kernel memory. I have three Qs related to this:
You would have a much easier time just modifying the Linux kernel.  Xen 
isn''t going to help you much here.
> 1) Is this doable?
Exceptions do go through the hypervisor however page faults are not 
usually a sign of something bad happening.  Linux, for instance, uses 
copy-on-write and on-demand paging which means in many circumstances, 
page faults are not a sign of misuse of memory.

I don''t think there''s any generic way of identifying whether a
page
fault is a "good" page fault or a "bad" page fault at the
hypervisor
level.  The hypervisor merely forwards the fault to the guest and the 
guest then decides what action to take (update a page table, kill a 
process, etc.).  To complicate matters further, some apps catch SEGV and 
handle it themselves.  That makes the potential recovery behavior 
totally non-deterministic.  You could potentially try to track 
heuristically whether a PTE update occurs after a page fault at the 
hypervisor level but that would be easily defeatable (which means it 
isn''t useful for an IDS system).  At the end of the day, you really
have
to modify the domU kernel.

You should look at some of the bug reporting tools in Linux.  They seem 
to be doing something to hook all process crashes.  Ubuntu has a new bug 
crash tool that you could probably start with.  This would put you in 
domU userspace though...

Regards,

Anthony Liguori
> 2) If yes, how should I start with? Do i need to intercept hypercalls? 
> If yes, how to do this?
> 
> 3) To intercept memory operation, do i need to change in the Xen code? 
> If yes, it would be great if you could point me exact file where changes 
> are to be made.
> 
> 4) Can it be done using some application or IDS in dom0 with some hooks 
> without changing the Xen code?
> 
> I would really appreciate your help.
> 
> Thanks,
> Abhi
> 
> ------------------------------------------------------------------------
> Find out what India is talking about on - Yahoo! Answers India 
>
<http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.yahoo.com/>
> Send FREE SMS to your friend''s mobile from Yahoo! Messenger
Version 8.
> Get it NOW 
>
<http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.messenger.yahoo.com>
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Thanks for your reply.

I know if user based application access to Kernel space memory, they will get
the segfault. However, in many cases, there are vulnerabilities in the kernel
and
that allows the hackers to write to the portion of kernel memory that could give
them root privileges or arbitrary code execution. I would like to know the
address at which applications are writing and if i could get the address of that
memory location in dom0, i can check whether this address belongs to kernel
memory or user memory. If it is the part of kernel memory, it should not be
allowed.

So, in a sense I do not want to distinguish good/bad page faults. It is like
page fault happens but for what address. Please let me know if i am soundig
correct or not.

Can you please let me know if I would want to achieve this, how i should start?
Is this difficult to achieve?

Also, I would like to know how to intercept hypercalls and system calls in Xen?
It could be useful to provide system call and hypercalls logging mechanism. It
would be great if you could provide me some pointers to start with.

Thanks,
Abhi

Anthony Liguori <aliguori@us.ibm.com> wrote: Abhinav Srivastava
wrote:
> 
> Hi all,
> 
> I am new to the Xen and currently using Xen 3.0.3. My goal is to provide 
> memory logging facility in Dom0. If any guest domain (DomU) application 
> tries to access any memory area, I would like to know in dom0 what area 
> they are accessing. So that if any user space applications try to access 
> kernel memory then i can see in dom0 and using my detection system, i 
> can say that it is illegal memory request as user space applications are 
> not allowed to use kernel memory. I have three Qs related to this:
You would have a much easier time just modifying the Linux kernel.  Xen 
isn''t going to help you much here.
> 1) Is this doable?
Exceptions do go through the hypervisor however page faults are not 
usually a sign of something bad happening.  Linux, for instance, uses 
copy-on-write and on-demand paging which means in many circumstances, 
page faults are not a sign of misuse of memory.

I don''t think there''s any generic way of identifying whether a
page
fault is a "good" page fault or a "bad" page fault at the
hypervisor
level.  The hypervisor merely forwards the fault to the guest and the 
guest then decides what action to take (update a page table, kill a 
process, etc.).  To complicate matters further, some apps catch SEGV and 
handle it themselves.  That makes the potential recovery behavior 
totally non-deterministic.  You could potentially try to track 
heuristically whether a PTE update occurs after a page fault at the 
hypervisor level but that would be easily defeatable (which means it 
isn''t useful for an IDS system).  At the end of the day, you really
have
to modify the domU kernel.

You should look at some of the bug reporting tools in Linux.  They seem 
to be doing something to hook all process crashes.  Ubuntu has a new bug 
crash tool that you could probably start with.  This would put you in 
domU userspace though...

Regards,

Anthony Liguori
> 2) If yes, how should I start with? Do i need to intercept hypercalls? 
> If yes, how to do this?
> 
> 3) To intercept memory operation, do i need to change in the Xen code? 
> If yes, it would be great if you could point me exact file where changes 
> are to be made.
> 
> 4) Can it be done using some application or IDS in dom0 with some hooks 
> without changing the Xen code?
> 
> I would really appreciate your help.
> 
> Thanks,
> Abhi
> 
> ------------------------------------------------------------------------
> Find out what India is talking about on - Yahoo! Answers India 
> 
> Send FREE SMS to your friend''s mobile from Yahoo! Messenger
Version 8.
> Get it NOW 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel


 				
---------------------------------
 Find out what India is talking about on  - Yahoo! Answers India 
 Send FREE SMS to your friend''s mobile from Yahoo! Messenger Version 8.
Get it NOW

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> -----Original Message-----
> From: xen-devel-bounces@lists.xensource.com 
> [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of 
> Abhinav Srivastava
> Sent: 13 November 2006 20:18
> To: xen-devel
> Subject: Re: [Xen-devel] Re: How to intercept memory operation in Xen
> 
> 
> Thanks for your reply.
> 
> I know if user based application access to Kernel space 
> memory, they will get the segfault. However, in many cases, 
> there are vulnerabilities in the kernel and 
> that allows the hackers to write to the portion of kernel 
> memory that could give them root privileges or arbitrary code 
> execution. I would like to know the address at which 
> applications are writing and if i could get the address of 
> that memory location in dom0, i can check whether this 
> address belongs to kernel memory or user memory. If it is the 
> part of kernel memory, it should not be allowed.
But those, generally, happen in kernel mode, so it''s not actually
user-mode code writing to kernel memory, but rather the kernel.
Something like this:

In user-mode:
some_system_call(buffer, 2123);  /* 123 bytes too many! */

...
In kernel:
some_system_call(char *buffer, int size)
{
   char temp_buffer[2000];
   for(n =0; n < size; n++)
	temp_buffer[n] = buffer[n];
}
Obviously, this _SHOULD_ be range-checked to ensure that the size is
less than or equal to  sizeof(temp_buffer), but it isn''t done, so the
calling code can cause some data on the stack to be overwritten. The
code in the kernel is often much more complex than this, but that is not
changing the way it works, just how hard it is to spot the problem. 

There are obviously many different variants on this theme, but the
conclusion is that the user-mode code is prevented from writing to
kernel memory - however, kernel code can, should and will write to
kernel memory - it just shouldn''t have bugs. 

I very much doubt that any process that intercepts memory operations
generically will be able to catch this. There are functionality in the
compiler to automagically range-check stack usage and array usage, which
is probably a more efficient method of figuring these things out. 

Of course, you may think of some other types of vulnerabilities - but I
think 99% of all User-mode writing kernel memory is actually making use
of code within the kernel, rather than accessing kernel memory from
user-mode as such.

--
Mats
> 
> So, in a sense I do not want to distinguish good/bad page 
> faults. It is like page fault happens but for what address. 
> Please let me know if i am soundig correct or not.
> 
> Can you please let me know if I would want to achieve this, 
> how i should start? Is this difficult to achieve?
> 
> Also, I would like to know how to intercept hypercalls and 
> system calls in Xen? It could be useful to provide system 
> call and hypercalls logging mechanism. It would be great if 
> you could provide me some pointers to start with.
> 
> Thanks,
> Abhi
> 
> Anthony Liguori <aliguori@us.ibm.com> wrote:
> 
> 	Abhinav Srivastava wrote:
> 	> 
> 	> Hi all,
> 	> 
> 	> I am new to the Xen and currently using Xen 3.0.3. My 
> goal is to provide 
> 	> memory logging facility in Dom0. If any guest domain 
> (DomU) application 
> 	> tries to access any memory area, I would like to know 
> in dom0 what area 
> 	> they are accessing. So that if any user space 
> applications try to access 
> 	> kernel memory then i can see in dom0 and using my 
> detection system, i 
> 	> can say that it is illegal memory request as user 
> space applications are 
> 	> not allowed to use kernel memory. I have three Qs 
> related to this:
> 	
> 	You would have a much easier time just modifying the 
> Linux kernel. Xen 
> 	isn''t going to help you much here.
> 	
> 	> 1) Is this doable?
> 	
> 	Exceptions do go through the hypervisor however page 
> faults are not 
> 	usually a sign of something bad happening. Linux, for 
> instance, uses 
> 	copy-on-write and on-demand paging which means in many 
> circumstances, 
> 	page faults are not a sign of misuse of memory.
> 	
> 	I don''t think there''s any generic way of identifying 
> whether a page 
> 	fault is a "good" page fault or a "bad" page fault at 
> the hypervisor 
> 	level. The hypervisor merely forwards the fault to the 
> guest and the 
> 	guest then decides what action to take (update a page 
> table, kill a 
> 	process, etc.). To complicate matters further, some 
> apps catch SEGV and 
> 	handle it themselves. That makes the potential recovery 
> behavior 
> 	totally non-deterministic. You could potentially try to track 
> 	heuristically whether a PTE update occurs after a page 
> fault at the 
> 	hypervisor level but that would be easily defeatable 
> (which means it 
> 	isn''t useful for an IDS system). At the end of the day, 
> you really have 
> 	to modify the domU kernel.
> 	
> 	You should look at some of the bug reporting tools in 
> Linux. They seem 
> 	to be doing something to hook all process crashes. 
> Ubuntu has a new bug 
> 	crash tool that you could probably start with. This 
> would put you in 
> 	domU userspace though...
> 	
> 	Regards,
> 	
> 	Anthony Liguori
> 	
> 	> 2) If yes, how should I start with? Do i need to 
> intercept hypercalls? 
> 	> If yes, how to do this?
> 	> 
> 	> 3) To intercept memory operation, do i need to change 
> in the Xen code? 
> 	> If yes, it would be great if you could point me exact 
> file where changes 
> 	> are to be made.
> 	> 
> 	> 4) Can it be done using some application or IDS in 
> dom0 with some hooks 
> 	> without changing the Xen code?
> 	> 
> 	> I would really appreciate your help.
> 	> 
> 	> Thanks,
> 	> Abhi
> 	> 
> 	> 
> --------------------------------------------------------------
> ----------
> 	> Find out what India is talking about on - Yahoo! 
> Answers India 
> 	> 
> 	> Send FREE SMS to your friend''s mobile from Yahoo! 
> Messenger Version 8. 
> 	> Get it NOW 
> 	> 
> 	> 
> 	> 
> 	> 
> 	> 
> --------------------------------------------------------------
> ----------
> 	> 
> 	> _______________________________________________
> 	> Xen-devel mailing list
> 	> Xen-devel@lists.xensource.com
> 	> http://lists.xensource.com/xen-devel
> 	
> 	
> 	_______________________________________________
> 	Xen-devel mailing list
> 	Xen-devel@lists.xensource.com
> 	http://lists.xensource.com/xen-devel
> 	
> 
> 
> ________________________________
> 
> Find out what India is talking about on - Yahoo! Answers 
> India 
> <http://us.rd.yahoo.com/mail/in/yanswers/*http://in.answers.ya
> hoo.com/>  
> Send FREE SMS to your friend''s mobile from Yahoo! Messenger 
> Version 8. Get it NOW 
> <http://us.rd.yahoo.com/mail/in/messengertagline/*http://in.me
> ssenger.yahoo.com> 
> 


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel