From: Andrew Cooper <andrew.cooper3@citrix.com>
To: "Mihai Donțu" <mdontu@bitdefender.com>
Cc: Tim Deegan <tim@xen.org>,
Razvan Cojocaru <rcojocaru@bitdefender.com>,
Jan Beulich <JBeulich@suse.com>,
xen-devel@lists.xen.org
Subject: Re: [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc
Date: Thu, 03 Jul 2014 10:32:14 +0100 [thread overview]
Message-ID: <53B5231E.2010006@citrix.com> (raw)
In-Reply-To: <20140703112329.629daf8a@bitdefender.com>
On 03/07/2014 09:23, Mihai Donțu wrote:
> On Wednesday 02 July 2014 18:07:20 Andrew Cooper wrote:
>> On 02/07/14 17:58, Mihai Donțu wrote:
>>> On Wed, 2 Jul 2014 17:00:08 +0100 Andrew Cooper wrote:
>>>> On 02/07/14 16:51, Jan Beulich wrote:
>>>>
>>> There were times when we wanted to get certain information from the
>>> guest but couldn't because it was swapped out. We now handle that
>>> situation by injecting a #PF and then let the OS respond as it would
>>> under a normal circumstance. After the data is brought in, it traps
>>> again into our application and we get what we need, but yes, it
>>> requires deep knowledge about the guest OS in order to do it without
>>> crashing it. It's doable only if you have the means necessary to
>>> inspect its state fully, which is why some of the submitted patches
>>> exist.
>> What is the threat model here?
>>
>> It seems to me that the only safe place to organise this is from a
>> device driver in the guest.
> This patch by itself does not address an in-guest security issue, it
> merely helps implement a number of guards. For example, if we want to
> audit all attempts to write into the .text area of an application by
> other applications (via process_vm_writev() or equivalent) we need to
> first bring in the complete .text sections of all modules. I forgot to
> mention before, but this patch can be used to bring in pages from
> memory mapped files (executables / shared objects).
>
> This can indeed be done in a much easier fashion directly from the
> guest kernel, but we are envisioning a security tool that acts
> completely from outside the domain and firmly believe that the amount
> of work needed to do this will be worth it.
>
Ok. So you are looking for a way to force arbitrary pages to be paged in?
I cant see how this could ever be safe from outside the VM. At the very
best you will have to wait until the correct virtual address space is in
context (which is not as easy as relying on cr3), probably wait until
the vcpu is executing userspace code, and even then you are still
fighting with the guest OS's paging-out algorithm.
This certainly isn't something can be done safely as a toolstack hypercall.
While I can see what you intend to do with the feature, I still can't
see how it would actually work given the infrastructure in this series.
~Andrew
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2014-07-03 9:32 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-02 13:33 [PATCH RFC 1/9] xen: Emulate with no writes; compute current instruction length Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 2/9] xen: Optimize introspection access to guest state Razvan Cojocaru
2014-07-02 15:31 ` Andrew Cooper
2014-07-07 14:50 ` Razvan Cojocaru
2014-07-10 8:05 ` Razvan Cojocaru
2014-07-10 8:17 ` Andrew Cooper
2014-07-10 8:23 ` Razvan Cojocaru
2014-07-10 11:57 ` Razvan Cojocaru
2014-07-10 12:16 ` Razvan Cojocaru
2014-07-10 13:01 ` Andrew Cooper
2014-07-02 15:37 ` Jan Beulich
2014-07-03 8:12 ` Razvan Cojocaru
2014-07-03 8:54 ` Jan Beulich
2014-07-02 13:33 ` [PATCH RFC 3/9] xen: Force-enable relevant MSR events; optimize the number of sent MSR events Razvan Cojocaru
2014-07-02 15:35 ` Andrew Cooper
2014-07-02 15:43 ` Jan Beulich
2014-07-09 8:02 ` Razvan Cojocaru
2014-07-23 7:56 ` Jan Beulich
2014-07-23 8:03 ` Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 4/9] xenctrl: Make the headers C++ friendly Razvan Cojocaru
2014-07-02 15:37 ` Andrew Cooper
2014-07-02 13:33 ` [PATCH RFC 5/9] xen: Support for VMCALL mem_events Razvan Cojocaru
2014-07-02 15:47 ` Jan Beulich
2014-07-02 15:54 ` Razvan Cojocaru
2014-07-02 16:11 ` Jan Beulich
2014-07-02 16:23 ` Razvan Cojocaru
2014-07-03 6:28 ` Jan Beulich
2014-07-03 7:29 ` Razvan Cojocaru
2014-07-02 15:54 ` Andrew Cooper
2014-07-02 15:59 ` Razvan Cojocaru
2014-07-02 13:33 ` [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc Razvan Cojocaru
2014-07-02 15:51 ` Jan Beulich
2014-07-02 16:00 ` Andrew Cooper
2014-07-02 16:58 ` Mihai Donțu
2014-07-02 17:07 ` Andrew Cooper
2014-07-03 8:23 ` Mihai Donțu
2014-07-03 9:32 ` Andrew Cooper [this message]
2014-07-03 9:40 ` Razvan Cojocaru
2014-07-02 16:06 ` Razvan Cojocaru
2014-07-02 16:13 ` Jan Beulich
2014-07-02 13:33 ` [PATCH RFC 7/9] xen: Handle resumed instruction based on previous mem_event reply Razvan Cojocaru
2014-07-02 15:56 ` Jan Beulich
2014-07-03 8:55 ` Razvan Cojocaru
2014-07-03 9:02 ` Jan Beulich
2014-07-03 9:12 ` Razvan Cojocaru
2014-07-03 9:18 ` Andrew Cooper
2014-07-03 9:22 ` Jan Beulich
2014-07-03 9:34 ` Razvan Cojocaru
2014-07-03 10:14 ` Jan Beulich
2014-07-02 13:34 ` [PATCH RFC 8/9] xen: Generic instruction re-execution mechanism for execute faults Razvan Cojocaru
2014-07-02 16:04 ` Andrew Cooper
2014-07-02 13:34 ` [PATCH RFC 9/9] mm: mark pages that have their permissions controlled by a domain Razvan Cojocaru
2014-07-03 10:19 ` Jan Beulich
2014-07-03 11:27 ` Razvan Cojocaru
2014-07-03 12:15 ` Jan Beulich
2014-07-02 15:20 ` [PATCH RFC 1/9] xen: Emulate with no writes; compute current instruction length Andrew Cooper
2014-07-03 7:42 ` Razvan Cojocaru
2014-07-02 15:21 ` Jan Beulich
2014-07-02 15:43 ` Razvan Cojocaru
2014-07-02 16:08 ` Jan Beulich
2014-07-02 16:18 ` Razvan Cojocaru
2014-07-03 6:24 ` Jan Beulich
2014-07-03 7:38 ` Razvan Cojocaru
2014-07-03 8:05 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53B5231E.2010006@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=mdontu@bitdefender.com \
--cc=rcojocaru@bitdefender.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.