* Scan guests' page to seek specific instructions
@ 2015-10-26 22:34 Wen QI
2015-10-27 13:50 ` Andrew Cooper
0 siblings, 1 reply; 2+ messages in thread
From: Wen QI @ 2015-10-26 22:34 UTC (permalink / raw)
To: xen-devel
Hi,
I am trying to scan guests' pages and check whether they contain specific instructions (e.g., LOCK). I summarize how I did it as follows. Could you please give some suggestions about whether am I on the right direction? Thank you.
In my testing environment, XEN 4.4.0 is deployed. Both Domain-0 and guests are using Ubuntu 14.4 64-bit. The guests are in HVM mode.
1. In the page fault handler sh_page_fault(), we first judge #PF (regs->error_code), if it contains PFEC_insn_fetch && PFEC_user_mode, then continue to next step.
2. The virtual address (va, which is from CR3) is converted to MFN.
3. If the MFN is valid, we get the page address via mfn_to_virt().
4. Then scan the page's data to check whether specific instructions exist in the page.
To simplify the testing, I temporarily disabled all shadow optimizations by setting SHADOW_OPTIMIZATIONS as 0x0F.
My observations are as follows:
- In step 2, some virtual addresses can be converted to valid MFN, some cannot.
- In the HVM guest, I run a piece of C code which contains the LOCK instructions. However, in step 4, the instructions cannot be detected.
Looking forward to your suggestions. Thanks again.
Best Regards
Wen
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Scan guests' page to seek specific instructions
2015-10-26 22:34 Scan guests' page to seek specific instructions Wen QI
@ 2015-10-27 13:50 ` Andrew Cooper
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Cooper @ 2015-10-27 13:50 UTC (permalink / raw)
To: Wen QI, xen-devel
On 26/10/15 22:34, Wen QI wrote:
> Hi,
>
> I am trying to scan guests' pages and check whether they contain specific instructions (e.g., LOCK). I summarize how I did it as follows. Could you please give some suggestions about whether am I on the right direction? Thank you.
>
> In my testing environment, XEN 4.4.0 is deployed. Both Domain-0 and guests are using Ubuntu 14.4 64-bit. The guests are in HVM mode.
>
> 1. In the page fault handler sh_page_fault(), we first judge #PF (regs->error_code), if it contains PFEC_insn_fetch && PFEC_user_mode, then continue to next step.
>
> 2. The virtual address (va, which is from CR3) is converted to MFN.
>
> 3. If the MFN is valid, we get the page address via mfn_to_virt().
>
> 4. Then scan the page's data to check whether specific instructions exist in the page.
>
> To simplify the testing, I temporarily disabled all shadow optimizations by setting SHADOW_OPTIMIZATIONS as 0x0F.
>
> My observations are as follows:
> - In step 2, some virtual addresses can be converted to valid MFN, some cannot.
Why would you expect them all to be valid? This is how demand paging of
library code typically works.
>
> - In the HVM guest, I run a piece of C code which contains the LOCK instructions. However, in step 4, the instructions cannot be detected.
Why do you expect to ever trap regular usermode execution on a user page?
If you want to do VM Introspection, start with a tool such as libVMI
rather than attempting to implement it from first principles in the
shadow paging code.
~Andrew
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-10-27 13:50 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-26 22:34 Scan guests' page to seek specific instructions Wen QI
2015-10-27 13:50 ` Andrew Cooper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).