hinoue at atc-nycorp
Nov 18, 2008, 1:36 PM
Here are some of my thoughts on the Xen Introspection Project. We've agreed
Starting Points for the Xen Introspection Project
that creating a list of requirements is the first thing the project should
do. We listed some general requirements during the first teleconference.
From ATC-NY's perspective, our highest priority feature is the ability to
trap on guest memory accesses (rwx) to specific addresses.
There are no publicly available tools that allow us to do this with recent
versions of Xen or support both Windows and Linux. So it is an open
question whether we should start with a new library or adapt an existing
introspection tool. I believe to get something running quickly we should
adapt an existing project and tweak the API over time. It is better to have
something running than to fully design a project before implementation.
What should be the basis for the introspection tools? There are three
introspection projects described in recent literature that are Xen specific:
XenAccess  - started by Bryan Payne from Georgia Tech. It builds on
top of XenCtrl. Its API concentrates on mmapping domU memory into
domO. It has some advantages in that it supports both Linux and
Windows. It can also mmap domU process memory into dom0, which is
a potential benefit to reverse engineering tools. It is GPL'd.
Source is available from xenaccess.googlecode.com. (I am most
familiar with this project because ATC-NY uses it as a base for
our own tools and I am a minor contributer.)
VIX (Virtual Introspection for Xen) - Hay and Nance's VM
introspection tools for forensics and a library utility for
building them. Linux 2.6 specific, it consists of specific
forensic tools along with a utility library that assists in
mmapping domU kernel memory. Is source available?
Ether  - Another effort from Georgia Tech that concentrates more
on hypervisor modifications and is specific to Intel VT HVM domUs.
This was recently described at ACM CCS 2008. The group has
apparently abandoned Xen in favor of KVM. However, source for the
Xen modifications are available. Their tools are able to log system
calls as well as break after every guest instruction execution. Ether
is Win XP SP2 specific.
EXAMIN-C - This is our set of tools and libraries that are built on top of
XenAccess. By using libraries that parse Windows PDB and GCC
representation files, we can write C-like scripts that are very close to
code that run as they would in the guest kernel. We support both
Windows and Linux (we've tested on Windows XP, Vista, Fedora, and
Our goal is to make writing introspection tools less brittle and
of minor OS versions. Unfortunately, at this moment it is unclear how
we can publicly release.
The introspection project requires two pieces: a hypervisor component and a
user-space component. XenAccess and VIX offer a user-space library for
implementing introspection tools. It would be nice to be able to compare
these libraries and use one as a basis for future feature inclusions. The
most advanced hypervisor component currently available, that I'm aware of,
is Ether. Ether is still immature but offers the features that ATC-NY
Licensing is also an issue. We are quite happy to contribute to an open
source introspection library, but we would like the option to keep some of
the tools built using it proprietary. We would therefore like the
introspection library to be LGPL'd or less restrictive. Other commercial
vendors would likely have similar concerns. The current XenAccess version
is problematic because of its dependence on libxenctrl. We would want to
avoid any gpl dependency in a Xen introspection library.
 Bryane Payne et al. Secure and Flexible Monitoring of Virtual
Machines. ACSAC 2007.
 Brian Hay and Kara Nance. Forensic Examination of Volatile System
Data Using Virtual Introspection. SIGOPS Operating Systems Review.
 Artem Dinaburg et al. Ether: Malware Analysis via Hardware
Virtualization Extensions. CCS '08.
Xen-introspect mailing list
Xen-introspect [at] lists