Re: (no subject)

[Cutter 409 <cutter409@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 3206 bytes --]

Hi,

I'm finally to a point where I can start looking at this more closely. I'm
trying to wrap my head around the shadow code to figure out the right
course of action.

I'd want HVMOP_set_mem_access to work with both shadow and EPT, so I'd want
things to work via p2m somehow. I think I understand this part.

* HVMOP_set_mem_access is used to change the p2m_access_t for the target
page(s). This should already be implemented I think?
* During propagation, I'll check the p2m map to see if I should mask off
any permission bits.
* On a shadow paging fault, I'll check if the fault was caused by p2m
permissions, somehow integrating that with the code for read-only guest
page tables safely.

Questions:

* Just for background, am I correct in my understanding that the log_dirty
code is used to track which gfns have been written to by the guest, in
order to speed up migration?
* Are multiple shadow tables maintained per domain? Is there one per VCPU?
One shadow table per guest page table? Is it blown away every time the
guest changes CR3? I'm having some trouble tracking this down.
* How should I clear/update existing shadow entries after changing the
p2m_access_t? Can I clear the shadow tables somehow and force everything to
be repopulated? Is that insane?

Thanks!



On Thu, Nov 15, 2012 at 7:08 AM, Tim Deegan <tim@xen.org> wrote:

> Bcc: Tim Deegan <tjd-xen@phlegethon.org>
> Subject: Re: [Xen-devel] Guest memory access hooking
> Reply-To:
> In-Reply-To: <
> CAG4Ohu_p-vVF9ZS01PeMqHvscCrrO+UDawK-noaaP8k+MuqHrQ@mail.gmail.com>
>
> Hi,
>
> At 10:56 -0500 on 13 Nov (1352804161), Cutter 409 wrote:
> > I'm trying to do some research with malware, and I'm trying to get
> > notifications on arbitrary guest page accesses (similar to what Ether
> > does.) I've noticed the mem-event API and it seems like it might be close
> > to what I need, but I can't find much documentation about how it works or
> > how to use it.
>
> Yes, the mem-event api, and in particular the HVMOP_set_mem_access
> hypercall, looks like what you want.  As you say, there isn't much
> documentation for it, except the xen-access.c client and the mailing
> list archive.
>
> CC'ing Aravindh, who has worked on this code most recently and might be
> able to help with specific questions.
>
> > I know that that mem-event API works only with EPT, but is the code to
> > change permissions modifying the guest page tables, or does it work via
> > EPT? (Can the guest detect it?)
>
> It works by EPT.  The guest can't detect it by looking at its pagetables
> or page fault patterns, though it might be able to detect it by looking
> at timings.
>
> > I'm also interested monitoring arbitrary page access via the shadow page
> > tables. I've been reading through the code, but if anyone has any insight
> > or some kind of push in the right direction, I'd really appreciate it.
>
> Your best bet is to modify _sh_propagate.  Look at how it handles
> shadow_mode_log_dirty() -- any time a writeable mapping is shadowed, the
> shadow PTE is made read-only until the guest is actually doing a write,
> then mark_dirty can be called.  You should be able to do the same thing
> for other kinds of access.
>
> Cheers,
>
> Tim.
>

[-- Attachment #1.2: Type: text/html, Size: 4078 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel