[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc
On Wednesday 02 July 2014 18:07:20 Andrew Cooper wrote: > On 02/07/14 17:58, Mihai DonÈu wrote: > > On Wed, 2 Jul 2014 17:00:08 +0100 Andrew Cooper wrote: > >> On 02/07/14 16:51, Jan Beulich wrote: > >>>>>> On 02.07.14 at 15:33, <rcojocaru@xxxxxxxxxxxxxxx> wrote: > >>>> Added new XEN_DOMCTL_set_pagefault_info hypercall, used by > >>>> libxc's new xc_domain_set_pagefault_info() function to set > >>>> per-domain page fault injection information. This information is > >>>> then used to call hvm_inject_page_fault() at the first VMENTRY > >>>> where the guest status matches and there are no other pending > >>>> traps. > >>> So the first question that strikes me here: What good can it do to > >>> be able to inject arbitrary page faults, possibly at times where > >>> the guest OS is absolutely not expecting them? > > I have not yet had the chance to say: thank you all for your review! > > No worries - this certainly is an interesting series to consider. > > > > > There were times when we wanted to get certain information from the > > guest but couldn't because it was swapped out. We now handle that > > situation by injecting a #PF and then let the OS respond as it would > > under a normal circumstance. After the data is brought in, it traps > > again into our application and we get what we need, but yes, it > > requires deep knowledge about the guest OS in order to do it without > > crashing it. It's doable only if you have the means necessary to > > inspect its state fully, which is why some of the submitted patches > > exist. > > What is the threat model here? > > It seems to me that the only safe place to organise this is from a > device driver in the guest. This patch by itself does not address an in-guest security issue, it merely helps implement a number of guards. For example, if we want to audit all attempts to write into the .text area of an application by other applications (via process_vm_writev() or equivalent) we need to first bring in the complete .text sections of all modules. I forgot to mention before, but this patch can be used to bring in pages from memory mapped files (executables / shared objects). This can indeed be done in a much easier fashion directly from the guest kernel, but we are envisioning a security tool that acts completely from outside the domain and firmly believe that the amount of work needed to do this will be worth it. -- Mihai DONÈU _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |