[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] xen strace analysis

  • To: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
  • From: Sanjam Garg <sanjamg@xxxxxxxxx>
  • Date: Wed, 28 Feb 2007 10:09:22 -0800 (PST)
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 28 Feb 2007 10:08:42 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=X7EKp09L3diruf54j2jldm1z8FfSJ7BC9xltN8M6/pirK/DkeJyEoDVbwTckPKP5aKliKaLMD+CvieLmMlLD/pstHBDWYhahcr3diMmDiPzasvAGw5lnatLoG7L/P1UpBF4rLi0nAk8pKN54CNs94vjZOzyHM7AWNyKXX4Mf/r0=;
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>


Thanks for the quick reply. These is an issue here. Since I intend to do system call analysis, doing it from within domU prevents my IDS to be independent of the kernel integrity. Doing it in the dom0 and using a small agent in the domU does not help assure that information received form domU is not tainted. I understand that direct information of system call is not possible. Nonetheless, is there  a way I can extrapolate information about the system call analysis from the low level information in Xen.
UML(User Mode Linux) does helpachieve such functinality as per the paper.  (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf)


"Petersson, Mats" <Mats.Petersson@xxxxxxx> wrote:

> -----Original Message-----
> From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
> [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
> Sanjam Garg
> Sent: 28 February 2007 17:38
> To: xen-devel@xxxxxxxxxxxxxxxxxxx
> Subject: [Xen-devel] xen strace analysis
> Hi
> I am looking for a mechanism to gather information about
> system calls that a guest Operating system is making. Any
> references for development of IDS's with Xen would also help.

Xen doesn't have any clue what system calls the guest-OS is making (and
should not know this). Xen itself only gets involved for certain special
operations which, generally, either deal with page-table
(memory-mapping) handling or inter-domain communication (event-channel),
and of course domain life-cycle (creating, destroying, pausing and
unpausing, save and restore, and migration). With a few other
exceptions, everything else is handled within the guest itself. That's
for the para-virtual case. In a fully-virtualized domain, there's even
less knowledge of what's going on in the guest.

So whilst the hypervisor may be able to surmise from this knowledge that
a guest changed its pagetables around, it's not sufficiently aware of
WHY to say whether that was done because of a fork, mmap or malloc call
for example. It can determine that some communication happened between
the guest and dom0, but not whether it's a file-read or a socket network
operation, etc, etc.

The only way to know what the guest is doing is to sit inside the
guest-OS and perform something like strace (I think there are some ways
to do a "system-wide strace", so you'd see exactly which system calls
are done by which process).

> Thanks
> Sanjam
> ________________________________
> Don't pick lemons.
> See all the new 2007 cars
> TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at Yahoo! Autos.

> mV3Y2Fycw-->

8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.