[Qemu-devel] On-demand taint tracking

[Heng Yin <hyin@ece.cmu.edu>]

Hi Qemu developers,

I have implemented a whole-system taint tracking system on Qemu. But the 
performance overhead is big. Now I want to optimize it by performing 
on-demand taint tracking. The idea is that Qemu runs in virtualization 
mode most of time (running with kqemu), and switches to emulation mode 
to propagate taint information when necessary. When taint information is 
not propagating for a while, I put Qemu into virtualization mode again. 
Before I put it into virtualization mode, I disable the tainted pages by 
removing their PG_PRESENT flags. So once kqemu accesses one of these 
pages, the page fault handler gets called, and qemu gets control.

I have written something for this, but it does not work. The guest OS 
crashes immediately when I put Qemu into virtualization mode. Kqemu does 
not raise page fault before the target OS crashes.

I list part of my code below. Can someone give any hints of what I did 
wrong here?

/*this function disable all the tainted pages, and put it
   into virtualization mode */
int switch_e2v()
{
   int i;
   uint32_t pte;
	
   //enable the pages
   for(i=0; i<ram_size/4096; i++) {
     page_table_t *page = tc_page_table[i];
     if(!page || !page->pte_addr) continue;

     //if this page is tainted, I get its pte, and clear
     //its PG_PRESENT flag
     pte = ldl_phys(page->pte_addr);
     pte &= ~PG_PRESENT_MASK;

     // I set the avail bits to all 1s, so that I know this
     //page is different from those actually not present
     pte |= 0xe00;
     stl_phys_notdirty(page->pte_addr, pte);
   }
   emulation_mode = 0; //indicate we are entering virtualization mode
   return 0;
}

Any comments are highly appreciated!
Thanks a lot,
Heng