Xen project Mailing List

Re: [Xen-devel] [PATCH 0/3] xen: add support for skipping the current instruction

To: Mihai DonÈu <mdontu@xxxxxxxxxxxxxxx>

From: Tamas K Lengyel <tamas.lengyel@xxxxxxxxxxxx>

Date: Tue, 9 Sep 2014 20:58:48 +0200

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>

Delivery-date: Tue, 09 Sep 2014 18:58:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

> Leaving open why terminating the in-guest process requires advancing
> its IP then, if all other register updates are unnecessary. A huge chunk
> of source code like this needs - I think - a little more of a rationale than
> some exotic, only partially explained use case.

Essentially, instruction skipping is an alternative to
'emulate-no-write'. All it offers is a speed boost, which is noticeable
when, for example, the emulator is walking a piece of code located into
an NX-marked memory area (stack, for example). With emulation, it takes
a long time for an application which has been exploited to terminate
(some types of malware try in a forever-loop to write to the memory
areas they target).

I wonder what the point is in skipping over the code of some code malware has put on the stack? Wouldn't it likely just end up crashing afterwards anyway? If your goal is to terminate the offending application, you could just simply point the process' RIP to a known invalid location to cause an immediate crash.. If you need to terminate the process cleanly, then you could use some OS specific knowledge to redirect the execution of the process, like update RIP to ExitProcess on Windows for example. Of course, depending on the threat model that may not be acceptable (ExitProcess may be hooked as well, etc.).

Tamas

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel