4 messages in com.xensource.lists.xen-develRE: [Xen-devel] xen strace analysis| From | Sent On | Attachments |
|---|---|---|
| Sanjam Garg | 28 Feb 2007 09:37 | |
| Petersson, Mats | 28 Feb 2007 09:55 | |
| Sanjam Garg | 28 Feb 2007 10:08 | |
| Petersson, Mats | 28 Feb 2007 10:19 |
| Subject: | RE: [Xen-devel] xen strace analysis |
|---|---|
| From: | Sanjam Garg (sanj...@yahoo.com) |
| Date: | 02/28/2007 10:08:59 AM |
| List: | com.xensource.lists.xen-devel |
Hi
Thanks for the quick reply. These is an issue here. Since I intend to do
system call analysis, doing it from within domU prevents my IDS to be
independent of the kernel integrity. Doing it in the dom0 and using a small
agent in the domU does not help assure that information received form domU is
not tainted. I understand that direct information of system call is not
possible. Nonetheless, is there a way I can extrapolate information about the
system call analysis from the low level information in Xen.
UML(User Mode Linux) does helpachieve such functinality as per the paper.
(http://www.laureano.eti.br/projetos/vmids/vmids_euromicro.pdf)
Sanjam
"Petersson, Mats" <Mats...@amd.com> wrote:
-----Original Message----- From: xen-...@lists.xensource.com [mailto:xen-...@lists.xensource.com] On Behalf Of Sanjam Garg Sent: 28 February 2007 17:38 To: xen-...@lists.xensource.com Subject: [Xen-devel] xen strace analysis
Hi
I am looking for a mechanism to gather information about system calls that a guest Operating system is making. Any references for development of IDS's with Xen would also help.
Xen doesn't have any clue what system calls the guest-OS is making (and should not know this). Xen itself only gets involved for certain special operations which, generally, either deal with page-table (memory-mapping) handling or inter-domain communication (event-channel), and of course domain life-cycle (creating, destroying, pausing and unpausing, save and restore, and migration). With a few other exceptions, everything else is handled within the guest itself. That's for the para-virtual case. In a fully-virtualized domain, there's even less knowledge of what's going on in the guest.
So whilst the hypervisor may be able to surmise from this knowledge that a guest changed its pagetables around, it's not sufficiently aware of WHY to say whether that was done because of a fork, mmap or malloc call for example. It can determine that some communication happened between the guest and dom0, but not whether it's a file-read or a socket network operation, etc, etc.
The only way to know what the guest is doing is to sit inside the guest-OS and perform something like strace (I think there are some ways to do a "system-wide strace", so you'd see exactly which system calls are done by which process).
-- Mats
Thanks Sanjam
________________________________
Don't pick lemons. See all the new 2007 cars TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--> at Yahoo! Autos.
_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDb
mV3Y2Fycw-->
--------------------------------- 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut.