From mboxrd@z Thu Jan 1 00:00:00 1970 From: Razvan Cojocaru Subject: Re: [PATCH V2] mem_event: Allow emulating an instruction that caused a page fault Date: Tue, 22 Jan 2013 16:45:34 +0200 Message-ID: <50FEA60E.2000503@gmail.com> References: <50FDCBA8.1060000@gmail.com> <20130122123149.GA86613@ocelot.phlegethon.org> <50FE8BDD.9080504@gmail.com> <20130122132059.GA87324@ocelot.phlegethon.org> <50FE9876.8030907@gmail.com> <20130122142644.GB87324@ocelot.phlegethon.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20130122142644.GB87324@ocelot.phlegethon.org> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Tim Deegan Cc: Andres Lagar-Cavilla , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org > The only properly safe way to allow exactly one exception to your rules > is to emulate the instruction in user-space. (Well, that or somehow > move your policy into Xen and do the emulation there, but I'm quite > strongly opposed to that). Is there an example of that somewhere in the Xen source code tree? > If you're just using this to gather statistics about how often a page > gets written, you could use sampling; you don't need to see _every_ > write. I'm not gathering statistics. > It might be helpful if you could give us a clear description of exactly > what problem you're trying to solve. I'm watching for suspicious activity on the domU. If any occurs, the domU should be paused (at least the VCPU in question). A dom0 userspace application should decide what constitutes suspicious activity, with (1) the least possible slowing down of the domU, and (2) with as little "false positive" writes allowed as possible (ideally zero, if there's a way that doesn't go against requirement (1)). Thanks, Razvan Cojocaru