[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Identify an specific DomU inpecting all pages in memory


  • To: Charles Gonçalves <charles.fg@xxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 4 Jan 2021 18:18:51 +0000
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: <xen-devel@xxxxxxxxxxxxx>
  • Delivery-date: Mon, 04 Jan 2021 18:19:00 +0000
  • Ironport-sdr: 8ehZUpTU/04iyBdr5tMFPs+fIoMfJg0L8PHL9S9tWHPfzjrP16ow4PyS2ufWD07W9My/CV0mpQ hlz+QNm1hZF23iRoXkTiSFdBIXd53pGLeaODQh15N6wKsLhMrSfdbkKx1prg+gNkWdGucuinqa uYawVUTg5USAG1x+4jChftYF6fOj2/E8ANZPyR7nZJluw5CK7415YoAhabZNARILyQQkrlo/DN HiwjzK3ea6IzDWyp5z5+ARNo8nSnBWaNug6WXkBSrk+XHdPwVqFh4NcXh1J3RyL9H3Fq7zmKRd Dyk=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 02/01/2021 19:20, Charles Gonçalves wrote:
> Sure. 
>
> The goal is to emulate a scenario where a compromised guest attacks
> another 
> tenant in the same physical host reading/changing the memory content.  
> E.g., extract the RSA key.
>
> I'll be in the domU kernel space. I'm assuming that the guest is able
> to exploit 
> any vulnerability possible. 
> Effectively I'll be changing Xen's code (at least possible) to
> *emulate* a vulnerability 
> (e.g., undo a patch).

Ok, so in this scenario, you've successfully exploited a privilege
escalation vulnerability in Xen and obtained code execution in
hypervisor context.  There are some security fixes to choose to revert
for this purpose, but none I'm aware of which will make the attack
payload trivial to pull off.

However, I'd suggest that you first try writing a new hypercall to do
what you want, so you can get used to coding in Xen context, before
adding the complexity of trying to retrofit it into an attack payload.

If you've already got code with works for dom0, I presume you're keying
off the hardware_domain pointer?  Either way, you can look at the
for_each_domain() construct for how to walk the domain list, or
get_domain_by_id() for how to use the hashtable to look up a domain by
its domid.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.