Guest Debugging Facilities in KVM

Guest Debugging Facilities in KVM

[Dean Pucsek]

Hello,

For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 

       /*
        * Forward all other exceptions that are valid in real mode.
        * FIXME: Breaks guest debugging in real mode, needs to be fixed with
        *        the required debugging infrastructure rework.
        */

And (from an email sent to the list in July 2008): 

        Note that guest debugging in real mode is broken now. This has to be
        fixed by the scheduled debugging infrastructure rework (will be done
        once base patches for QEMU have been accepted).

it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.

Cheers,


Dean Pucsek

Masters Student
Department of Computer Science
University of Victoria, Canada

Re: Guest Debugging Facilities in KVM

[Avi Kivity]

On 09/17/2012 10:36 PM, Dean Pucsek wrote:
> Hello,
> 
> For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 
> 
>        /*
>         * Forward all other exceptions that are valid in real mode.
>         * FIXME: Breaks guest debugging in real mode, needs to be fixed with
>         *        the required debugging infrastructure rework.
>         */
> 
> And (from an email sent to the list in July 2008): 
> 
>         Note that guest debugging in real mode is broken now. This has to be
>         fixed by the scheduled debugging infrastructure rework (will be done
>         once base patches for QEMU have been accepted).
> 
> it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.

Guest debugging works (but not in real mode due to the issue above).
You can set hardware and software breakpoints and kvm will forward them
to userspace, and from there to the debugger.  I'll be happy to help, as
I'm sure Jan (as the author of most of the guest debugging code) will as
well.

-- 
error compiling committee.c: too many arguments to function

Re: Guest Debugging Facilities in KVM

[Jan Kiszka]

On 2012-09-19 16:38, Avi Kivity wrote:
> On 09/17/2012 10:36 PM, Dean Pucsek wrote:
>> Hello,
>>
>> For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 
>>
>>        /*
>>         * Forward all other exceptions that are valid in real mode.
>>         * FIXME: Breaks guest debugging in real mode, needs to be fixed with
>>         *        the required debugging infrastructure rework.
>>         */
>>
>> And (from an email sent to the list in July 2008): 
>>
>>         Note that guest debugging in real mode is broken now. This has to be
>>         fixed by the scheduled debugging infrastructure rework (will be done
>>         once base patches for QEMU have been accepted).
>>
>> it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.
> 
> Guest debugging works (but not in real mode due to the issue above).

That doesn't apply to CPUs with "Unrestricted Guest" support, right? At
least I didn't notice any limitations recently. [I did notice some other
corner-case issue with guest debugging, still need to dig into that...]

> You can set hardware and software breakpoints and kvm will forward them
> to userspace, and from there to the debugger.  I'll be happy to help, as
> I'm sure Jan (as the author of most of the guest debugging code) will as
> well.
> 

This may help as a starter:

http://chemnitzer.linux-tage.de/2012/vortraege/folien/1061-VirtualDebugging.pdf

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux

Re: Guest Debugging Facilities in KVM

[Avi Kivity]

On 09/19/2012 05:45 PM, Jan Kiszka wrote:
> On 2012-09-19 16:38, Avi Kivity wrote:
>> On 09/17/2012 10:36 PM, Dean Pucsek wrote:
>>> Hello,
>>>
>>> For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 
>>>
>>>        /*
>>>         * Forward all other exceptions that are valid in real mode.
>>>         * FIXME: Breaks guest debugging in real mode, needs to be fixed with
>>>         *        the required debugging infrastructure rework.
>>>         */
>>>
>>> And (from an email sent to the list in July 2008): 
>>>
>>>         Note that guest debugging in real mode is broken now. This has to be
>>>         fixed by the scheduled debugging infrastructure rework (will be done
>>>         once base patches for QEMU have been accepted).
>>>
>>> it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.
>> 
>> Guest debugging works (but not in real mode due to the issue above).
> 
> That doesn't apply to CPUs with "Unrestricted Guest" support, right? 

Right.

> At
> least I didn't notice any limitations recently. [I did notice some other
> corner-case issue with guest debugging, still need to dig into that...]

I'm sure there's a diamond mine of corner cases in that code.


-- 
error compiling committee.c: too many arguments to function

Re: Guest Debugging Facilities in KVM

[Dean Pucsek]

On 2012-09-19, at 7:45 AM, Jan Kiszka <jan.kiszka@siemens.com> wrote:

> On 2012-09-19 16:38, Avi Kivity wrote:
>> On 09/17/2012 10:36 PM, Dean Pucsek wrote:
>>> Hello,
>>> 
>>> For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 
>>> 
>>>       /*
>>>        * Forward all other exceptions that are valid in real mode.
>>>        * FIXME: Breaks guest debugging in real mode, needs to be fixed with
>>>        *        the required debugging infrastructure rework.
>>>        */
>>> 
>>> And (from an email sent to the list in July 2008): 
>>> 
>>>        Note that guest debugging in real mode is broken now. This has to be
>>>        fixed by the scheduled debugging infrastructure rework (will be done
>>>        once base patches for QEMU have been accepted).
>>> 
>>> it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.
>> 
>> Guest debugging works (but not in real mode due to the issue above).
> 
> That doesn't apply to CPUs with "Unrestricted Guest" support, right? At
> least I didn't notice any limitations recently. [I did notice some other
> corner-case issue with guest debugging, still need to dig into that...]
> 
>> You can set hardware and software breakpoints and kvm will forward them
>> to userspace, and from there to the debugger.  I'll be happy to help, as
>> I'm sure Jan (as the author of most of the guest debugging code) will as
>> well.
>> 

Is there a roadmap or plan for how the KVM project envisions the debugging facilities evolving? 

> 
> This may help as a starter:
> 
> http://chemnitzer.linux-tage.de/2012/vortraege/folien/1061-VirtualDebugging.pdf
> 

That is a huge help, thanks!

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
> Corporate Competence Center Embedded Linux

Re: Guest Debugging Facilities in KVM

[Jan Kiszka]

On 2012-09-20 19:17, Dean Pucsek wrote:
> 
> On 2012-09-19, at 7:45 AM, Jan Kiszka <jan.kiszka@siemens.com> wrote:
> 
>> On 2012-09-19 16:38, Avi Kivity wrote:
>>> On 09/17/2012 10:36 PM, Dean Pucsek wrote:
>>>> Hello,
>>>>
>>>> For my Masters thesis I am investigating the usage of Intel VT-x and branch tracing in the domain of malware analysis.  Essentially what I'm aiming to do is trace the execution of a guest VM and then pass that trace on to some other tools.  I've been playing KVM for a couple weeks now but from comments such as (in arch/x86/kvm/vmx.c): 
>>>>
>>>>       /*
>>>>        * Forward all other exceptions that are valid in real mode.
>>>>        * FIXME: Breaks guest debugging in real mode, needs to be fixed with
>>>>        *        the required debugging infrastructure rework.
>>>>        */
>>>>
>>>> And (from an email sent to the list in July 2008): 
>>>>
>>>>        Note that guest debugging in real mode is broken now. This has to be
>>>>        fixed by the scheduled debugging infrastructure rework (will be done
>>>>        once base patches for QEMU have been accepted).
>>>>
>>>> it is unclear to me how much support there is for guest debugging in KVM currently (I wasn't able to find any recent documentation on it) and what the debugging infrastructure referred to by these comments is.  I am interested in becoming involved with the KVM project in this respect however some guidance and direction on the guest debugging facilities would be greatly appreciated.
>>>
>>> Guest debugging works (but not in real mode due to the issue above).
>>
>> That doesn't apply to CPUs with "Unrestricted Guest" support, right? At
>> least I didn't notice any limitations recently. [I did notice some other
>> corner-case issue with guest debugging, still need to dig into that...]
>>
>>> You can set hardware and software breakpoints and kvm will forward them
>>> to userspace, and from there to the debugger.  I'll be happy to help, as
>>> I'm sure Jan (as the author of most of the guest debugging code) will as
>>> well.
>>>
> 
> Is there a roadmap or plan for how the KVM project envisions the debugging facilities evolving? 

KVM and QEMU are in a pretty good shape now for kernel debugging on x86
- given current boundary conditions. Still we need to do something
because gdb for x86 is not well prepared for system-level debugging. And
those changes will requires some extensions of QEMU in turn.

There are some ideas and early code to add gdb tracepoint support to
QEMU and, possibly, to KVM (as acceleration).

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux