[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Identify an specific DomU inpecting all pages in memory


The goal is to emulate a scenario where a compromised guest attacks another 
tenant in the same physical host reading/changing the memory content.  
E.g., extract the RSA key.

I'll be in the domU kernel space. I'm assuming that the guest is able to exploit 
any vulnerability possible. 
Effectively I'll be changing Xen's code (at least possible) to *emulate* a vulnerability 
(e.g., undo a patch).

Charles Ferreira Gonçalves

On Sat, Jan 2, 2021 at 7:06 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
On 02/01/2021 17:02, Charles Gonçalves wrote:
> Hi, 
> I'm building some attack loads targeting  Xen to my PhD and need to
> identify the pages for a specific guest. 
> Assuming that I'm able to traverse the pages in memory, how do I
> identify a guest (by ID or Name)? 
> The dom0 is easy since I can inspect the start_info looking
> for SIF_INITDOMAIN but I have no idea to identify a specific domU.


Could you provide rather more details about what exactly you're trying
to do?

In particular, what context are you in when trying to identify the pages?




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.