|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] xen strace analysis
> -----Original Message----- > From: Sanjam Garg [mailto:sanjamg@xxxxxxxxx] > Sent: 28 February 2007 18:09 > To: Petersson, Mats > Cc: xen-devel@xxxxxxxxxxxxxxxxxxx > Subject: RE: [Xen-devel] xen strace analysis > > Hi > > Thanks for the quick reply. These is an issue here. Since I > intend to do system call analysis, doing it from within domU > prevents my IDS to be independent of the kernel integrity. > Doing it in the dom0 and using a small agent in the domU does > not help assure that information received form domU is not > tainted. I understand that direct information of system call > is not possible. Nonetheless, is there a way I can > extrapolate information about the system call analysis from > the low level information in Xen. > UML(User Mode Linux) does helpachieve such functinality as > per the paper. > (http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf) But Xen doesn't have any idea what the system calls are - there's no interaction into Xen when most system calls are performed - so how will Xen help you then? It's like lying in a tunnel under the road trying to determine from the noise the tyres make what make of car is driving on the road above - you may be able to tell the difference between a lorry (large truck) and a ordinary car, but not between a Mercedes, Ford, Volvo or BMW. You will have to use some other method. -- Mats > > > Sanjam > > "Petersson, Mats" <Mats.Petersson@xxxxxxx> wrote: > > > > > -----Original Message----- > > From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx > > [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > > Sanjam Garg > > Sent: 28 February 2007 17:38 > > To: xen-devel@xxxxxxxxxxxxxxxxxxx > > Subject: [Xen-devel] xen strace analysis > > > > Hi > > > > I am looking for a mechanism to gather information about > > system calls that a guest Operating system is making. Any > > references for development of IDS's with Xen would also help. > > Xen doesn't have any clue what system calls the > guest-OS is making (and > should not know this). Xen itself only gets involved > for certain special > operations which, generally, either deal with page-table > (memory-mapping) handling or inter-domain communication > (event-channel), > and of course domain life-cycle (creating, destroying, > pausing and > unpausing, save and restore, and migration). With a few other > exceptions, everything else is handled within the guest > itself. That's > for the para-virtual case. In a fully-virtualized > domain, there's even > less knowledge of what's going on in the guest. > > So whilst the hypervisor may be able to surmise from > this knowledge that > a guest changed its pagetables around, it's not > sufficiently aware of > WHY to say whether that was done because of a fork, > mmap or malloc call > for example. It can determine that some communication > happened between > the guest and dom0, but not whether it's a file-read or > a socket network > operation, etc, etc. > > The only way to know what the guest is doing is to sit > inside the > guest-OS and perform something like strace (I think > there are some ways > to do a "system-wide strace", so you'd see exactly > which system calls > are done by which process). > > -- > Mats > > > > Thanks > > Sanjam > > > > > > ________________________________ > > > > Don't pick lemons. > > See all the new 2007 cars > > TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at > Yahoo! Autos. > > _ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb > > mV3Y2Fycw--> > > > > > > > > ________________________________ > > 8:00? 8:25? 8:40? Find a flick > <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news > > in no time > with theYahoo! Search movie showtime shortcut. > <http://tools.search.yahoo.com/shortcuts/?fr=oni_on_mail&#news> > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |