xen dire-map area

xen dire-map area

[Baozeng]

Hell all,
I am doing some research work on protecting Xen's data structures. I
know there is a direct-map area(about 12M), in which we can get  the
physical address of the data structure from its virtual address.  My
question is : are the stack and the heap of Xen both located in this
direct-map area? Since I need protect stack and heap data, so it is
easy to identify their physical addresses if they are both in this
area. Thanks.
-- 
     Best Regards,
                                                                 Baozeng Ding
                                                                 OSTG,NFS,ISCAS

Re: xen dire-map area

[Tim Deegan]

At 17:30 +0800 on 14 Jun (1339695001), Baozeng wrote:
> Hell all,
> 
> I am doing some research work on protecting Xen's data structures.
> I know there is a direct-map area(about 12M), in which we can get  the
> physical address of the data structure from its virtual address.  My
> question is : are the stack and the heap of Xen both located in this
> direct-map area?

On 32-bit x86, anything allocated with alloc_xenheap_* or xmalloc() is
in that area (and that includes Xen's stacks).  Anything allocated with
alloc_domheap_* is not.  Also the frametable and M2P are mapped
separately.  The details are in include/asm-x86/config.h.

Cheers,

Tim.

Re: xen dire-map area

[Baozeng]

2012/6/14 Tim Deegan <tim@xen.org>:
> At 17:30 +0800 on 14 Jun (1339695001), Baozeng wrote:
>> Hell all,
>>
>> I am doing some research work on protecting Xen's data structures.
>> I know there is a direct-map area(about 12M), in which we can get  the
>> physical address of the data structure from its virtual address.  My
>> question is : are the stack and the heap of Xen both located in this
>> direct-map area?
>
> On 32-bit x86, anything allocated with alloc_xenheap_* or xmalloc() is
> in that area (and that includes Xen's stacks).  Anything allocated with
> alloc_domheap_* is not.  Also the frametable and M2P are mapped
> separately.  The details are in include/asm-x86/config.h.
>
I see. I want to monitor Xen's data structures in a trusted VM(dom0).
One challenge is how to make dom0 can read Xen's data structure (just
read, do not need to write). Since Xen has more privilege, dom0 cannot
read its data directly.  Can we set up appropriate hypervisor-page
tables for dom0 that map Xen's relevant physical (or virtual) memory
areas? How to do that? Do we need modify Xen's code? or just the
dom0's code?
> Cheers,
>
> Tim.



-- 
     Best Regards,
                                                                 Baozeng Ding
                                                                 OSTG,NFS,ISCAS

Re: xen dire-map area

[Tim Deegan]

At 15:15 +0800 on 15 Jun (1339773354), Baozeng wrote:
> I see. I want to monitor Xen's data structures in a trusted VM(dom0).

I don't understand.  Given that Xen controls dom0 entirely, how can it
monitor Xen's datastructures?

> One challenge is how to make dom0 can read Xen's data structure (just
> read, do not need to write). Since Xen has more privilege, dom0 cannot
> read its data directly.  Can we set up appropriate hypervisor-page
> tables for dom0 that map Xen's relevant physical (or virtual) memory
> areas? How to do that? Do we need modify Xen's code? or just the
> dom0's code?

You would need to modify Xen (to allow dom0 to have read-only mappings
of all memory) and dom0 (to understand Xen well enough to follow its
datastructures).  But since a compromised Xen could lie to dom0
about its pagetables, this seems like a very weak kind of security --
especially compared with something like HyperSafe or CloudVisor that
uses a _more_ privileged element to protect the hypervisor.

Tim.