[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 13/25] argo: implement the register op
On 1/9/19 6:50 PM, Tamas K Lengyel wrote: On Wed, Jan 9, 2019 at 9:48 AM Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx> wrote:On 1/9/19 6:34 PM, Roger Pau Monné wrote:Maybe this is use-case is different, but how does introspection handle accesses to the shared info page or the runstate info for example? I would consider argo to be the same in this regard.Not exactly: The shared info page is special in any event. For runstate info (and alike - there's also struct vcpu_time_info) I'd question correctness of the current handling. If that's wrong already, I'd prefer if the issue wasn't spread.There are also grants, which when used together with another guest on the same host could allow to bypass introspection AFAICT? (unless there's some policy applied that limit grant sharing to trusted domains) TBH I'm not sure how to handle hypoervisor accesses with introspection. My knowledge of introspection is fairly limited, but it pauses the guest and sends a notification to an in guest agent. I'm not sure this is applicable to hypervisor writes, since it's not possible to pause hypervisor execution and wait for a response from a guest agent.Introspection applications only care about memory accesses performed by the guest. Hypervisor accesses to monitored pages are not included when monitoring - it is actually a feature when using the emulator in Xen to continue guest execution because the hypervisor ignores EPT memory permissions that trip the guest for introspection. So having the hypervisor access memory or a grant-shared page being accessed in another domain are not a problem for introspection.Can't then two guests running on the same host be able to completely bypass introspection? I guess you prevent this by limiting to which guests pages can be shared?Would these two guests be HVM guests? Introspection only works for HVM guests. I'm not sure I follow your scenario though. How would these guests collaborate to escape introspection via grants?If there are two domains acting maliciously in concert to bypass monitoring of memory writes they could achieve that with grants, yes. Say a write-monitored page is grant-shared to another domain, which then does the write on behalf of the first. I wouldn't say that's "completely bypassing introspection" though, there are many types of events that can be monitored, write-accesses are only one. I'm not aware of any mechanism that can be used to limit which pages can be shared but you can use XSM to restrict which domains can share pages to begin with. That's normally enough. Right, I agree. We're not currently dealing with that case and assume that XSM (or a similar mechanism) will be used in scenarios where this level of access is possible. Thanks, Razvan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |