Am Mittwoch, den 13.09.2006, 12:05 +0200 schrieb G Portokalidis:
> Hello,
> I have been in the process of porting Argos to Qemu 0.8.2.
> In case you haven't heard of Argos, it's basically Qemu extended to
> track network data entering the emulator to identify their illegal use
> (exploits, etc).
>
> I am using the softmmu to track all accesses to physical memory to
> track which memory addresses are occupied by network data.
>
> I am trying to figure out all the possible ways guest physical memory
> is accessed at runtime. Besides the softmmu, i also identified that
> DMA also access physical memory using cpu_physical_memory_rw(), in
> exec.c.
>
> Do any virtual peripherals access guest physical memory without using
> the above call, or is memory altered by Qemu's dynamic translation (or
> other components)?
>
> I must be missing something, since i have noticed that when memory is
> cluttered with network data (because of using IE for example),
> starting a new application reports that values used in jmp
> instructions (op_jmp_T0, in op.c) come from the network, while that is
> not the case.
>
> It seems that loading a new executable to guest memory is not tracked,
> and as a result a page previously used by IE is not "cleaned". Another
> thought is that maybe the translation writes data to guest physical
> memory, but from what i understand of Qemu translation seems to only
> touch host memory.
>
> If any of the developers could help, it would be appreciated.
> I have spent many hours going through Qemu's code without result.
>
> Thanks in advance, and I hope this is not immediately discarded as
> being too long. :-P
>
> Cheers,
> George
>
Hello George,
I've read the ARGOS paper - good paper! I'm not familiar with the argos
source code but I've encountered the situation that windows clears pages
with 8byte (64-bit) wide st operations consisting of all 0s. (even on
32bit win2k), and it gave me a lot of the same stuff you're describing
above when I thought that 32bit windows only does 32bit memwrites. (I
instrumented the ld/st macros in softmmu_{header,template}.h for that
purpose)
if you find anything else please let me know since I'm very interested
in that.
cheers
m.
_______________________________________________
Qemu-devel mailing list
Qemu-devel@nongnu.org
http://lists.nongnu.org/mailman/listinfo/qemu-devel
