[Qemu-devel] kill /destroy a VM

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] kill /destroy a VM - help

From:	Alexander Binun
Subject:	[Qemu-devel] kill /destroy a VM - help
Date:	Wed, 5 Mar 2014 18:35:18 +0200 (IST)

Hello friends, hello Stefan ,
   Thanks to your hints we succeeded to intercept  network traffic between VMs.

Now we encountered yet one problem: Our security module (which is a LKM) 
performs security check and, when suspecting malicious activity at a VCPU,  
must suspend or even kill this VM. The problem is: how to suspend/kill a VCPU ?

We have taken the following approach: 
    1. Accessing the VM list (struct list_head vms_list ) through the kallsyms 
interface 
    2. Iterating through VMs, reaching every VCPU (as a structure struct 
kvm_vcpu *vcpu)
    3. Running security check on every such structure. That is we were seeking 
for a function like cpu_reset(struct kvm_vcpu*vcpu)

The following "reset funtions" were so far tried (taken from kvm_host.h)
   1. kvm_vcpu_uninit and kvm_x86_ops->vcpu_free. These cause the whole system 
(both host and guest OSs) hang.
   2. kvm_vcpu_reset and kvm_arch_vcpu_free lead to the linker error  "Warning! 
Function undefined". 

Which "reset function" could you recommend ?

Thanks in advance,
  an Israeli team (Mark, Martin, Boaz and Alex)



On Thu 19 Dec 11:05 2013 Stefan Hajnoczi wrote:
> On Wed, Dec 18, 2013 at 01:53:56PM +0200, Alexander Binun wrote:
> > We are trying to monitor the traffic (network packets etc) between VMs in 
> > KVM.  We succeeded to get the address of the system call table (see 
> > http://syprog.blogspot.co.il/2011/10/hijack-linux-system-calls-part-iii.html)
> >  and intercept the system calls going through the kernel.
> > 
> > In such a way we see ALL system calls (including those which were not 
> > initiated from within VMs).
> 
> You do not see guest system calls when you hook host system calls.  You
> only see host system calls (including those made by QEMU).
> 
> > How can we filter out the system calls not related to VMs ? What is your 
> > opinion regarding our approach ?
> 
> Maybe I'm missing context for this discussion but I wouldn't intercept
> sytems calls in order to monitor VM network traffic.
> 
> You can monitor VM traffic using libpcap on the VM's tap interface on
> the host.  If you want fancier deep packet inspection, Open vSwitch
> offers a flow-based interface so you can monitor just certain
> conversations.
> 
> Stefan
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] kill /destroy a VM - help, Alexander Binun <=
- Re: [Qemu-devel] kill /destroy a VM - help, Stefan Hajnoczi, 2014/03/06
  - Re: [Qemu-devel] kill /destroy a VM - help, Alexander Binun, 2014/03/06
    - Re: [Qemu-devel] kill /destroy a VM - help, Paolo Bonzini, 2014/03/06
    - Re: [Qemu-devel] kill /destroy a VM - still hangs!, Alexander Binun, 2014/03/06
    - [Qemu-devel] trying to kill a VM, Alexander Binun, 2014/03/09
    - [Qemu-devel] different IDTs of the same VCPU, Alexander Binun, 2014/03/13
    - Re: [Qemu-devel] different IDTs of the same VCPU, Paolo Bonzini, 2014/03/13
    - Re: [Qemu-devel] different IDTs of the same VCPU, Alexander Binun, 2014/03/17
    - Re: [Qemu-devel] different IDTs of the same VCPU, Paolo Bonzini, 2014/03/17

Prev by Date: Re: [Qemu-devel] [PATCH 1/2] iscsi: Use bs->sg for everything else than disks
Next by Date: Re: [Qemu-devel] [PATCH 01/10] qdict: Add qdict_join()
Previous by thread: Re: [Qemu-devel] [PATCH 2/7] migration: Add counters of updating the dirty bitmap
Next by thread: Re: [Qemu-devel] kill /destroy a VM - help
Index(es):
- Date
- Thread