From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [RFC PATCH v2 1/1] kvm: Add documentation and ABI/API header for
 VM introspection
Date: Wed, 2 Aug 2017 15:51:22 +0200
Message-ID: <c7eb8d64-9083-2d86-3e99-a6fd729fb7bb@redhat.com>
References: <20170707143416.11195-1-alazar@bitdefender.com>
 <20170707143416.11195-2-alazar@bitdefender.com>
 <7104167e-0747-92fe-05df-1b7e1848d65f@redhat.com>
 <1499934995.2110.345.camel@bitdefender.com>
 <1d3e3fc7-5fec-037e-4be4-82a380c85972@redhat.com>
 <1501172635.8856.4.camel@bitdefender.com>
 <5f499fe6-0ac8-56e7-a4f5-ba6809cc7c6a@redhat.com>
 <1501175973.8856.11.camel@bitdefender.com>
 <f9eeaea1-1fc2-0298-a4f8-77eed8c587d3@redhat.com>
 <CABfawh=nSA13MoSYtrnY21tp07kvsMe1wo8TYwEs5nFVUNJssQ@mail.gmail.com>
 <f3d063ad-5be4-f438-b31e-c3a34fe13da3@redhat.com>
 <1501674729.15747.282.camel@bitdefender.com>
 <1b3467e4-1d67-dacd-7436-6a07c08f597b@redhat.com>
 <1501680749.15747.319.camel@bitdefender.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Jan Kiszka <jan.kiszka@siemens.com>,
        Stefan Hajnoczi <stefanha@redhat.com>,
        Adalbert Lazar <alazar@bitdefender.com>, kvm@vger.kernel.org,
        Tamas K Lengyel <tamas.k.lengyel@gmail.com>
To: =?UTF-8?Q?Mihai_Don=c8=9bu?= <mdontu@bitdefender.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:41176 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752185AbdHBNv3 (ORCPT <rfc822;kvm@vger.kernel.org>);
        Wed, 2 Aug 2017 09:51:29 -0400
In-Reply-To: <1501680749.15747.319.camel@bitdefender.com>
Content-Language: en-US
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 02/08/2017 15:32, Mihai Donțu wrote:
> We have currently identified three cases:
> 
>  * initial hooking of a guest

What triggers the initial hooking, and how is it done?

>  * periodically checking the integrity of data that is not properly
>    placed into a page and thus cannot be efficiently tracked via SPT

This only needs read memory (and it's okay for it to race against DMA
because it's periodic).

>  * injecting processes

This also doesn't need pause.  IIRC you put a breakpoint somewhere, or
make a page non-executable, to ensure the guest doesn't get in the way.
DMA can still get in the way, but that can happen anyway right after
process injection so it's not an issue.

Have you thought about monitoring hardware registers, for example in
order to check that IOMMU page tables protect from overwriting the kernel?

Paolo