[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XenAccess Library: Introspection for Xen

> The other thing to consider is non-traditional host-based IDS.
> Through introspection, you need not be limited by the presentation of
> information that you normally get inside the operating system.
> Perhaps viewing memory "through a different lens" could lead to some
> interesting new techniques?  Something to think about.

I think it'll enable lots of things - we need to throw away our preconceptions 
to get the best out of the architecture.  So much more is possible without 
the constraints of just running inside / outside machine boundary of the 
monitored system.

> Indeed.  And, in addition to data aggregation, comparing the data
> from in the host to data from introspection to data on the network
> could lead to some interesting analysis.  For example, what if you
> saw conflicting information about the same system from two sensor
> locations?  Perhaps you just detected stealthy malware?

Indeed.  It's going to need a fairly interesting inference engine to figure 
stuff out (and explain its decisions to administrators afterwards!).  Could 
be quite a cool project, depending on how much groundwork for this sort of 
thing already exists.

> I'm excited about the possibilities.  Within the XenAccess project,
> I'm looking forward to collecting more data (including the driver
> taps that you mentioned and cpu context information), and adding more
> features such as instruction-level replay of a domain's execution
> environment.  So keep watching and hopefully there will be some more
> interesting stuff coming down the pipe.

Just a heads-up that some people have been looking at deterministic replay, so 
you might want to figure out who they are and see what stage they're at.

A filter-style interface for collecting selected events from Xen (as proposed 
by Stanford guys in the introspection paper) would be a nice thing to have 
too.  Stuff like direct syscall monitoring could be implemented this way, for 

Sounds like you've got a whole load of good plans, anyhow.  I wish you luck!


Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.