Sorry for any cross posting. I sent this to the xen-devel list and the
xen-research list as well.
I'm wanting to modify some xen source code for the purposes of some
research, exploration, and testing of some security concepts.
I have a few questions after looking through the source.
All of the below applies to 32-bit guests.
#1: Is there anyway possible to trap/insert some code at/hook into, any
modification of a PV guest's page table. Anything like a hypercall handler I
can plugin to, a function or series of functions that always gets called,
something I can provide a call back to, or anything else?
#2: For some research purposes, I plan on replicating portions of the page
table of a guest, only those pages of the guest's kernel. I hope to do this
by the supervisory bit being set; however, I welcome any suggestions of a
better approach to detecting when kernel pages are being modified?
In general, to explain any questions I haven't specifically asked above; I'm
looking for the appropriate place in xen to intercept any writes, reads, and
executes of a guest's memory.
Also, would such activities be easier or more difficult with hvm guests?
Since xen has to provide hvm guests an individual CR3, would such a place be
much easier to hook into because of any abstraction layers that already
exist for such things?
The only reason I picked pv guests was that the semantics of what is a
kernel page and what is not might not be as easy to determine in an hvm
guest, but perhaps this is not the case?