[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Mihai DonÈu <mdontu@xxxxxxxxxxxxxxx>
  • Date: Thu, 3 Jul 2014 11:23:29 +0300
  • Cc: Tim Deegan <tim@xxxxxxx>, Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxx
  • Comment: DomainKeys? See http://domainkeys.sourceforge.net/
  • Delivery-date: Thu, 03 Jul 2014 08:23:52 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=bitdefender.com; b=aTmB2jomfQ9SWsNa54GEc0qbl3oqBYO9zt94ImXg2tw9COlH722kcGvytpxqU4cP2Mqmg+nz4+66hae1e+VPwPBkJORg7lOYnCoG3rFXAWb0pQ7mgtsqWJyOtUz9p/dHSNSpcjVqLPHBH9+tRPze5i0KBLb1i91pabN9yAZxEysyBdBkPdKhC3AjTa7wcDrLJeo35A4/mVAyLuMGyavMJ4S8MhtL9jNLu+q86jCJB6n+nLOMZ5zLXjCAqlLJFgxhjaLYJgoM9KK3QKPnpfp14gcCfAk/3avm1zRcJ3CK9FsJS8JlmCazW5GTDqEqIECFPxdEdU6gxRyyRwy/9ymMCQ==; h=Received:Received:Received:Received:Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:Organization:MIME-Version:Content-Type:Content-Transfer-Encoding:X-BitDefender-Scanner:X-BitDefender-Spam:X-BitDefender-SpamStamp:X-BitDefender-CF-Stamp;
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wednesday 02 July 2014 18:07:20 Andrew Cooper wrote:
> On 02/07/14 17:58, Mihai DonÈu wrote:
> > On Wed, 2 Jul 2014 17:00:08 +0100 Andrew Cooper wrote:
> >> On 02/07/14 16:51, Jan Beulich wrote:
> >>>>>> On 02.07.14 at 15:33, <rcojocaru@xxxxxxxxxxxxxxx> wrote:
> >>>> Added new XEN_DOMCTL_set_pagefault_info hypercall, used by
> >>>> libxc's new xc_domain_set_pagefault_info() function to set
> >>>> per-domain page fault injection information. This information is
> >>>> then used to call hvm_inject_page_fault() at the first VMENTRY
> >>>> where the guest status matches and there are no other pending
> >>>> traps.
> >>> So the first question that strikes me here: What good can it do to
> >>> be able to inject arbitrary page faults, possibly at times where
> >>> the guest OS is absolutely not expecting them?
> > I have not yet had the chance to say: thank you all for your review!
> 
> No worries - this certainly is an interesting series to consider.
> 
> >
> > There were times when we wanted to get certain information from the
> > guest but couldn't because it was swapped out. We now handle that
> > situation by injecting a #PF and then let the OS respond as it would
> > under a normal circumstance. After the data is brought in, it traps
> > again into our application and we get what we need, but yes, it
> > requires deep knowledge about the guest OS in order to do it without
> > crashing it. It's doable only if you have the means necessary to
> > inspect its state fully, which is why some of the submitted patches
> > exist.
> 
> What is the threat model here?
> 
> It seems to me that the only safe place to organise this is from a
> device driver in the guest.

This patch by itself does not address an in-guest security issue, it
merely helps implement a number of guards. For example, if we want to
audit all attempts to write into the .text area of an application by
other applications (via  process_vm_writev() or equivalent) we need to
first bring in the complete .text sections of all modules. I forgot to
mention before, but this patch can be used to bring in pages from
memory mapped files (executables / shared objects).

This can indeed be done in a much easier fashion directly from the
guest kernel, but we are envisioning a security tool that acts
completely from outside the domain and firmly believe that the amount
of work needed to do this will be worth it.

-- 
Mihai DONÈU

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.