* [Qemu-devel] Access to QEMU's guest physical memory
@ 2006-09-13 10:05 G Portokalidis
2006-09-13 17:26 ` maestro
0 siblings, 1 reply; 3+ messages in thread
From: G Portokalidis @ 2006-09-13 10:05 UTC (permalink / raw)
To: qemu-devel
Hello,
I have been in the process of porting Argos to Qemu 0.8.2.
In case you haven't heard of Argos, it's basically Qemu extended to
track network data entering the emulator to identify their illegal use
(exploits, etc).
I am using the softmmu to track all accesses to physical memory to
track which memory addresses are occupied by network data.
I am trying to figure out all the possible ways guest physical memory
is accessed at runtime. Besides the softmmu, i also identified that
DMA also access physical memory using cpu_physical_memory_rw(), in
exec.c.
Do any virtual peripherals access guest physical memory without using
the above call, or is memory altered by Qemu's dynamic translation (or
other components)?
I must be missing something, since i have noticed that when memory is
cluttered with network data (because of using IE for example),
starting a new application reports that values used in jmp
instructions (op_jmp_T0, in op.c) come from the network, while that is
not the case.
It seems that loading a new executable to guest memory is not tracked,
and as a result a page previously used by IE is not "cleaned". Another
thought is that maybe the translation writes data to guest physical
memory, but from what i understand of Qemu translation seems to only
touch host memory.
If any of the developers could help, it would be appreciated.
I have spent many hours going through Qemu's code without result.
Thanks in advance, and I hope this is not immediately discarded as
being too long. :-P
Cheers,
George
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] Access to QEMU's guest physical memory
2006-09-13 10:05 [Qemu-devel] Access to QEMU's guest physical memory G Portokalidis
@ 2006-09-13 17:26 ` maestro
2006-09-20 9:20 ` G Portokalidis
0 siblings, 1 reply; 3+ messages in thread
From: maestro @ 2006-09-13 17:26 UTC (permalink / raw)
To: qemu-devel
Am Mittwoch, den 13.09.2006, 12:05 +0200 schrieb G Portokalidis:
> Hello,
> I have been in the process of porting Argos to Qemu 0.8.2.
> In case you haven't heard of Argos, it's basically Qemu extended to
> track network data entering the emulator to identify their illegal use
> (exploits, etc).
>
> I am using the softmmu to track all accesses to physical memory to
> track which memory addresses are occupied by network data.
>
> I am trying to figure out all the possible ways guest physical memory
> is accessed at runtime. Besides the softmmu, i also identified that
> DMA also access physical memory using cpu_physical_memory_rw(), in
> exec.c.
>
> Do any virtual peripherals access guest physical memory without using
> the above call, or is memory altered by Qemu's dynamic translation (or
> other components)?
>
> I must be missing something, since i have noticed that when memory is
> cluttered with network data (because of using IE for example),
> starting a new application reports that values used in jmp
> instructions (op_jmp_T0, in op.c) come from the network, while that is
> not the case.
>
> It seems that loading a new executable to guest memory is not tracked,
> and as a result a page previously used by IE is not "cleaned". Another
> thought is that maybe the translation writes data to guest physical
> memory, but from what i understand of Qemu translation seems to only
> touch host memory.
>
> If any of the developers could help, it would be appreciated.
> I have spent many hours going through Qemu's code without result.
>
> Thanks in advance, and I hope this is not immediately discarded as
> being too long. :-P
>
> Cheers,
> George
>
Hello George,
I've read the ARGOS paper - good paper! I'm not familiar with the argos
source code but I've encountered the situation that windows clears pages
with 8byte (64-bit) wide st operations consisting of all 0s. (even on
32bit win2k), and it gave me a lot of the same stuff you're describing
above when I thought that 32bit windows only does 32bit memwrites. (I
instrumented the ld/st macros in softmmu_{header,template}.h for that
purpose)
if you find anything else please let me know since I'm very interested
in that.
cheers
m.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] Access to QEMU's guest physical memory
2006-09-13 17:26 ` maestro
@ 2006-09-20 9:20 ` G Portokalidis
0 siblings, 0 replies; 3+ messages in thread
From: G Portokalidis @ 2006-09-20 9:20 UTC (permalink / raw)
To: qemu-devel
Hi, I am actually instrumenting all memory writes in softmmu, so I
shouldn't miss the writes cleaning up pages.
What i have been thinking lately is that it might be the translation
of code that causes the alerts.
I am not very familiar with how that is working, but i was wondering
whether the code to be translated (guest code) is actually written to
guest memory before being translated? If the code is simply picked up
from the disk and translated, it would explain why this is the case.
On 13/09/06, maestro <maestro82@gmail.com> wrote:
> Am Mittwoch, den 13.09.2006, 12:05 +0200 schrieb G Portokalidis:
> > Hello,
> > I have been in the process of porting Argos to Qemu 0.8.2.
> > In case you haven't heard of Argos, it's basically Qemu extended to
> > track network data entering the emulator to identify their illegal use
> > (exploits, etc).
> >
> > I am using the softmmu to track all accesses to physical memory to
> > track which memory addresses are occupied by network data.
> >
> > I am trying to figure out all the possible ways guest physical memory
> > is accessed at runtime. Besides the softmmu, i also identified that
> > DMA also access physical memory using cpu_physical_memory_rw(), in
> > exec.c.
> >
> > Do any virtual peripherals access guest physical memory without using
> > the above call, or is memory altered by Qemu's dynamic translation (or
> > other components)?
> >
> > I must be missing something, since i have noticed that when memory is
> > cluttered with network data (because of using IE for example),
> > starting a new application reports that values used in jmp
> > instructions (op_jmp_T0, in op.c) come from the network, while that is
> > not the case.
> >
> > It seems that loading a new executable to guest memory is not tracked,
> > and as a result a page previously used by IE is not "cleaned". Another
> > thought is that maybe the translation writes data to guest physical
> > memory, but from what i understand of Qemu translation seems to only
> > touch host memory.
> >
> > If any of the developers could help, it would be appreciated.
> > I have spent many hours going through Qemu's code without result.
> >
> > Thanks in advance, and I hope this is not immediately discarded as
> > being too long. :-P
> >
> > Cheers,
> > George
> >
> Hello George,
>
> I've read the ARGOS paper - good paper! I'm not familiar with the argos
> source code but I've encountered the situation that windows clears pages
> with 8byte (64-bit) wide st operations consisting of all 0s. (even on
> 32bit win2k), and it gave me a lot of the same stuff you're describing
> above when I thought that 32bit windows only does 32bit memwrites. (I
> instrumented the ld/st macros in softmmu_{header,template}.h for that
> purpose)
>
> if you find anything else please let me know since I'm very interested
> in that.
>
> cheers
> m.
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-09-20 9:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-13 10:05 [Qemu-devel] Access to QEMU's guest physical memory G Portokalidis
2006-09-13 17:26 ` maestro
2006-09-20 9:20 ` G Portokalidis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).