[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC 6/9] xen, libxc: Request page fault injection via libxc


On 03/07/2014 09:23, Mihai DonÈu wrote:

On Wednesday 02 July 2014 18:07:20 Andrew Cooper wrote:

On 02/07/14 17:58, Mihai DonÈu wrote:

On Wed, 2 Jul 2014 17:00:08 +0100 Andrew Cooper wrote:

On 02/07/14 16:51, Jan Beulich wrote:


There were times when we wanted to get certain information from the
guest but couldn't because it was swapped out. We now handle that
situation by injecting a #PF and then let the OS respond as it would
under a normal circumstance. After the data is brought in, it traps
again into our application and we get what we need, but yes, it
requires deep knowledge about the guest OS in order to do it without
crashing it. It's doable only if you have the means necessary to
inspect its state fully, which is why some of the submitted patches
exist.

What is the threat model here?

It seems to me that the only safe place to organise this is from a
device driver in the guest.

This patch by itself does not address an in-guest security issue, it
merely helps implement a number of guards. For example, if we want to
audit all attempts to write into the .text area of an application by
other applications (via  process_vm_writev() or equivalent) we need to
first bring in the complete .text sections of all modules. I forgot to
mention before, but this patch can be used to bring in pages from
memory mapped files (executables / shared objects).

This can indeed be done in a much easier fashion directly from the
guest kernel, but we are envisioning a security tool that acts
completely from outside the domain and firmly believe that the amount
of work needed to do this will be worth it.



Ok.  So you are looking for a way to force arbitrary pages to be paged in?
I cant see how this could ever be safe from outside the VM. At the very best you will have to wait until the correct virtual address space is in context (which is not as easy as relying on cr3), probably wait until the vcpu is executing userspace code, and even then you are still fighting with the guest OS's paging-out algorithm. 

This certainly isn't something can be done safely as a toolstack hypercall.
While I can see what you intend to do with the feature, I still can't see how it would actually work given the infrastructure in this series. 

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.