Re: [PATCH 0/3] xen: add support for skipping the current instruction

[Tamas K Lengyel <tamas.lengyel@zentific.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1351 bytes --]

> Leaving open why terminating the in-guest process requires advancing
> > its IP then, if all other register updates are unnecessary. A huge chunk
> > of source code like this needs - I think - a little more of a rationale
> than
> > some exotic, only partially explained use case.
>
> Essentially, instruction skipping is an alternative to
> 'emulate-no-write'. All it offers is a speed boost, which is noticeable
> when, for example, the emulator is walking a piece of code located into
> an NX-marked memory area (stack, for example). With emulation, it takes
> a long time for an application which has been exploited to terminate
> (some types of malware try in a forever-loop to write to the memory
> areas they target).
>

I wonder what the point is in skipping over the code of some code malware
has put on the stack? Wouldn't it likely just end up crashing afterwards
anyway? If your goal is to terminate the offending application, you could
just simply point the process' RIP to a known invalid location to cause an
immediate crash.. If you need to terminate the process cleanly, then you
could use some OS specific knowledge to redirect the execution of the
process, like update RIP to ExitProcess on Windows for example. Of course,
depending on the threat model that may not be acceptable (ExitProcess may
be hooked as well, etc.).

Tamas

[-- Attachment #1.2: Type: text/html, Size: 1720 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel