[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] intercept interrupts from guest domains and find rootkits

To: xen-devel@xxxxxxxxxxxxxxxxxxx
From: Elena <elena.junk@xxxxxxxxx>
Date: Tue, 9 Feb 2010 20:59:22 +0100
Delivery-date: Tue, 09 Feb 2010 11:59:45 -0800
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=JaLDEGYPcQn5Y8WIVlzDGcfyBkv3YlohbrQn2Icdv+u3Q8RWhXgLFPnCWp8d3394ca n7izMcr3KtTULMzo2P8+wJ+rKzVFl9qZlhJPCmD1xpci2ehlBMrQ+dJ2xB+VEXoJqsAY Xex+3MZ4i9aU2fiYvvknrlQKRO6qKZT35Wets=
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Hello!!

I'd like to refer to this post: "RE: [Xen-devel] Re: How to intercept
interrupts from guest domains"
made by "Mads Bergdal" on 21 Sep 2006 in this list.

Mads try to intercept hypercalls made by a guest domain, from hypervisor.
I made this, modifying xen source (entry.S) and print on dmesg the
number of hypercall.

My question is: if in a guest domain an intruder install a rootkit
(for example an IDT hooking), my hypercall interception on Dom0 can
estabilished that there was a violation to that guest?? Is any rootkit
installed on guest detectable by my hypercall interception (for
example an rootkit that make a specific sequence of hypercalls)?

I hope that it isn't so complicated and I thanks you in advance for
comprehension.

Regards,
Elena

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Prev by Date: Re: [Xen-devel] [PATCH] [PVOPS] dom0 sync xen wallclock
Next by Date: [Xen-devel] [PATCH] [PVOPS] [UPDATE] dom0 sync xen wallclock
Previous by thread: [Xen-devel] [PATCH] [PVOPS] dom0 sync xen wallclock
Next by thread: [Xen-devel] [PATCH] [PVOPS] [UPDATE] dom0 sync xen wallclock
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.