[Qemu-devel] Re: backdoor

[Lluís]

Blue Swirl writes:

> On Mon, Oct 25, 2010 at 10:54 AM, Lluís <address@hidden> wrote:
>> Blue Swirl writes:
>>
>>> and there are guest visible side effects.
>> 
>> I don't understand what you mean with guest-visible effects.

> The guest can examine itself and determine that it has been modified.

Well, yes, but backdoor instructions are not available on real hardware,
so I think that the case of the guest actively trying to detect if it is
being virtualized is not an issue here (e.g., no blue pill problem on
the scenarios I plan to use it).


> Also, the guest needs to be recompiled and adding the extra
> instructions changes the memory layout etc. Furthermore, the source
> code needs to be available for recompilation.

Well, as I see it, the backdoor implementation _must_ be enabled through
recompilation, and be _not_ activated on official binary releases.

For me, it is the only communication channel I could think of that
provides the minimal overhead on the guest, and has a use only for
peeking into the underlying simulator.


>> Ok, so far I see different approaches available:
>> 
>> * MMIO/PIO device
>>  Needs no undocumented extensions to the ISA, but requires modifying
>>  the guest OS (adding a device driver).

> Also the guest application needs to be modified.

True. But as I said this is a non-issue in my case, although I
understand that such a scheme has no practical use to the Qemu
community. It's just that if the instrumentation is ported to other qemu
targets, both backdoor+instrumentation can serve as a pretty solid
emulation building block for fine-grained analysis of guest code
(including building simulators).


>> * New syscall
>>  Needs no undocumented extensions to the ISA, but will only work with
>>  *-user emulation.
>> 
>> * watchpoint/breapoint
>>  Needs no undocumented extensions to the ISA, but will only work with
>>  softmmu emulation, and only as long as the backdoor channel requires
>>  no arguments.

> We have GDB support also for user emulators. The arguments could be
> set up by GDB monitor command.

Still I don't understand how could I cover the case where I manually
insert code in the guest to communicate directly with Qemu (e.g., start
simulating on an arbitrary point in the guest code).


>> * ISA extensions
>>  Needs a per-target decoding of the instruction and won't work when
>>  running under KVM.
[...]
>> 
>> The instrumented watchpoint/breakpoint sounds as an interesting
>> approach, but I don't see how I can:
>> 
>> * Differentiate among instrumented and non-instrumented
>>  watchpoints/breakpoints

> Make the instrumentation selectable for each watchpoint/breakpoint.

But the only way to control this is through QMP, right? And as I said
before, I don't know how the guest can communicate with QMP in a
_lightweight_ way (if I already can, then I already have a suitable
backdoor channel). Maybe I'm missing something here, as this is my first
contact with qemu.


>> * Pass arguments to the instrumentation backend

> Together with the breakpoint structure in CPUState, there should be an
> extra storage for the arguments (and a flag whether to enable
> instrumentation or not) . This could be set up by monitor commands.

Arguments can be dynamic. For example, see the following guest code:

guest library in LD_PRELOAD:

  int fork ();
  static int (*old_fork) ();

  static void lib_init () __attribute__ ((constructor))
  {
      old_fork = dlsym(RTLD_NEXT, "fork");
  }

  int
  fork ()
  {
      int res = old_fork();
      if (!res) {
         backdoor_trace_me(getpid());
      }
      return res;
  }

Here I can instrument all processes fork'ed from my main instrumented
application, but leave the other system processes uninstrumented (e.g.,
record the current cr3 and enable instrumentation only when recorded cr3
values are running).


Lluis

-- 
 "And it's much the same thing with knowledge, for whenever you learn
 something new, the whole world becomes that much richer."
 -- The Princess of Pure Reason, as told by Norton Juster in The Phantom
 Tollbooth