Re: Logging Access to HDD

[Sebastian Biedermann <biedermann@seceng.informatik.tu-darmstadt.de>]

Am 19.04.2011 11:54, schrieb Michal Novotny:
> On 04/19/2011 11:44 AM, Sebastian Biedermann wrote:
>> Am 19.04.2011 11:35, schrieb James Harper:
>>>> Dear List,
>>>>
>>>> I´m working in research and I tought this list could be
>>>> a good adress for my questions.
>>>>
>>>> I want to log the disk accesses of the virtual hvm instances running in Xen.
>>>> That means for the start I want to log the write querys of a running
>>>> domU instance in the dom0 instance.
>>>>
>>>> So I´m trying to modify the Xen 3.2.1 source code,
>>>> but actually I was not able to find a good entry point to do this.
>>>>
>>>> For now, I want to log the disk accesses of a running windows 7 domU
>>>> instance.
>>>> The best what could happenis that I could see even the source and target
>>>> of a hdd write query.
>>>>
>>>> Does anyone have an idea how I could do this on a good way?
>>>> Which Xen source file / function should I modify? Where is the best
>>>> entry point to do this?
>>> HVM access can either be emulated PCI IDE, or PV. For the emulated access you would hook into qemu, I think. For PV access you would need to hook into whatever block device backend you are using.
>>>
>>> Do you just want to count reads and writes, or do you want to log every single byte read/written?
>>>
>>> James
>> I dont need to log every single byte, it would be enough to know which
>> file is accessed by the domU inside its image.
>> So when I use HVM I need to modify qemu and not the xen source?
>>
>> thanks
>>
> Sebastian, QEMU is used by Xen for HVM guests. It's in the Xen source
> codes in the tools/ioemu-dir so look there and here it depends on disk
> type you're having - whether SCSI or IDE disk or whether you're using PV
> drivers. This can be found in the Xen domain configuration, i.e. if
> you're using file:/path/to/image,xvda then you're using PV drivers (they
> have to be installed in the guest), for hda instead of xvda you're using
> IDE disk and for sda instead of xvda you're using SCSI disk. If you're
> using PV drivers then you have to modify the PV drivers themselves and
> not QEMU so I'd recommend to use SCSI or IDE disk instead. For SCSI disk
> it's the best since you have the logic in the ioemu-dir/hw/scsi-disk.c
> AFAIK.
>
> Michal
>

Okay, that sounds good, I will try to modifiy the ioemu ide drivers
to see which sectors are used and I will try to match these sectors to
the upper layer of the image of the guestU tofind out which
data files are accessed. Hope that works :-)

Thank you!



-- 
Sebastian Biedermann
Security Engineering Group
Technische Universität Darmstadt
Mornewegstraße 32, 64293 Darmstadt
Phone: +49-6151-16-75146

This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this email
in error please notify the sender.