Hi, I''m going to use XEN to do some security analysis. In the context of VMX(or SVM), it is possible to do analysis at instruction level? for example, intercept call/jmp, mov etc. For virtualization tools which use binary translation, we are able to do that. In XEN, it''s still possible? I assume the nature of para-virtualization and VMX does not provide such mechanism(users are allowed to register new vm_exit events?). Modify compiler(or guest OS) to generate vm_exit for particular instructions? even that it cannot work for HVM. Maybe for API-level, things are easier.. The motivation to do instruction-level analysis is OS level info such as page table is coarse-grained. I really appreciate your suggestions and help. Best, Liu _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
George Dunlap
2011-Jul-07 09:18 UTC
Re: [Xen-devel] possible to do analysis at instruction level?
Do you just want to see what the guest was doing? If so, you might look at a rather obscure debugging feature of the processors called "Branch Trace Store" (BTS). Basically you set up some registers to point to an area of memory, and every time the cpu executes a branch, the BTS microcode will write the source and destination of those branches into the buffer. When the buffer reaches a certain threshold, it will generate an exception, and the store can be emptied. You''d have to do your own modifications to Xen to deal with this. I have some ancient (~2006) code I could give you for inspiration, but you''re still going to need to basically implement the whole thing from scratch. Let me know if you want the code, and I''ll give you a pointer to it. (Very much "as-is, caveat emptor" at this point.) -George On Thu, Jul 7, 2011 at 4:20 AM, John Liu <bradevuu@gmail.com> wrote:> Hi, > > I''m going to use XEN to do some security analysis. > > In the context of VMX(or SVM), it is possible to do analysis at > instruction level? for example, intercept call/jmp, mov etc. For > virtualization tools which use binary translation, we are able to do > that. In XEN, it''s still possible? I assume the nature of > para-virtualization and VMX does not provide such mechanism(users are > allowed to register new vm_exit events?). Modify compiler(or guest > OS) to generate vm_exit for particular instructions? even that it > cannot work for HVM. Maybe for API-level, things are easier.. > > The motivation to do instruction-level analysis is OS level info such > as page table is coarse-grained. > > I really appreciate your suggestions and help. > > Best, > Liu > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
John(Zhi) Liu
2011-Jul-08 14:37 UTC
Re: [Xen-devel] possible to do analysis at instruction level?
Hi George, Thank you for the suggestions. My purpose is only want to watch what guest is doing, but also modify its execution. For example, rewrite operand of call *** instruction. It seems there is no a general way to do this(without modifying guest OS), which is natural since XEN is meant to be a hypervisor instead of analysis tool. VMSafe is SDK of VMWARE for guest security inspection. I think guests running on XEN also have security concerns. It *might* be a good idea to add security analysis tools that are not part of the hypervisor. I am working on isolating malicious drivers into different address space(s) so that malicious behaviors cannot impact guest OS. Thanks, John(Zhi) 2011/7/8 George Dunlap <george.dunlap@eu.citrix.com>:> Please reply to the list, so that everyone can benefit from our discussion. > :-) > -George > > On 07/07/2011 04:27 PM, John Liu wrote: >> >> Hi George, >> >> Thank you for the suggestions. My purpose is only want to watch what >> guest is doing, but also modify its execution. For example, rewrite >> operand of call *** instruction. It seems there is no a general way >> to do this, which is natural since XEN is meant to be a hypervisor >> instead of analysis tool. >> >> VMSafe is SDK of VMWARE for guest security inspection. I think guests >> running on XEN also have security concerns. It *might* be a good idea >> to add security analysis tools that are not part of the hypervisor. I >> am working on isolating malicious drivers into different address >> space(s) so that malicious behaviors cannot impact guest OS. >> >> Thanks, >> John(Zhi) >> >> >> 2011/7/7 George Dunlap<George.Dunlap@eu.citrix.com>: >>> >>> Do you just want to see what the guest was doing? >>> >>> If so, you might look at a rather obscure debugging feature of the >>> processors called "Branch Trace Store" (BTS). Basically you set up >>> some registers to point to an area of memory, and every time the cpu >>> executes a branch, the BTS microcode will write the source and >>> destination of those branches into the buffer. When the buffer >>> reaches a certain threshold, it will generate an exception, and the >>> store can be emptied. >>> >>> You''d have to do your own modifications to Xen to deal with this. I >>> have some ancient (~2006) code I could give you for inspiration, but >>> you''re still going to need to basically implement the whole thing from >>> scratch. >>> >>> Let me know if you want the code, and I''ll give you a pointer to it. >>> (Very much "as-is, caveat emptor" at this point.) >>> >>> -George >>> >>> On Thu, Jul 7, 2011 at 4:20 AM, John Liu<bradevuu@gmail.com> wrote: >>>> >>>> Hi, >>>> >>>> I''m going to use XEN to do some security analysis. >>>> >>>> In the context of VMX(or SVM), it is possible to do analysis at >>>> instruction level? for example, intercept call/jmp, mov etc. For >>>> virtualization tools which use binary translation, we are able to do >>>> that. In XEN, it''s still possible? I assume the nature of >>>> para-virtualization and VMX does not provide such mechanism(users are >>>> allowed to register new vm_exit events?). Modify compiler(or guest >>>> OS) to generate vm_exit for particular instructions? even that it >>>> cannot work for HVM. Maybe for API-level, things are easier.. >>>> >>>> The motivation to do instruction-level analysis is OS level info such >>>> as page table is coarse-grained. >>>> >>>> I really appreciate your suggestions and help. >>>> >>>> Best, >>>> Liu >>>> >>>> _______________________________________________ >>>> Xen-devel mailing list >>>> Xen-devel@lists.xensource.com >>>> http://lists.xensource.com/xen-devel >>>> >> >> > >-- Liu _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel