Menu
▾
▴
Re: [Isolated-exec-devel] [Xen-research] Security through Isolation in Xen
|
From: Passera, P. R <pab...@in...> - 2009-01-27 17:02:28
|
Mmm, it should have closed automatically after closing Notepad.exe. In this way the decision module will restart the VM and add it to the VMPool. I will try to reproduce the error in our installation. Pablo PS: I am copying Isolated-exec distribution list so this so others can benefit from this also. Could you copy the list also? >-----Original Message----- >From: Todd Deshane [mailto:des...@gm...] >Sent: Tuesday, January 27, 2009 2:57 PM >To: Passera, Pablo R >Cc: Protti, Duilio J; Giusti, Gisela; Colsani, Guillermo E >Subject: Re: [Xen-research] Security through Isolation in Xen > >On Tue, Jan 27, 2009 at 11:56 AM, Passera, Pablo R ><pab...@in...> wrote: >>>I then closed the sandbox VM and tried to send cmd.exe, but that led >>>to the same error as before. >> >> Did you close the VM by hand or did it close automatically after >closing notepad in the sandbox? >> >> > >By Hand. > >>>-----Original Message----- >>>From: Todd Deshane [mailto:des...@gm...] >>>Sent: Tuesday, January 27, 2009 2:52 PM >>>To: Passera, Pablo R >>>Cc: Protti, Duilio J; Giusti, Gisela; Colsani, Guillermo E >>>Subject: Re: [Xen-research] Security through Isolation in Xen >>> >>>On Tue, Jan 27, 2009 at 11:32 AM, Passera, Pablo R >>><pab...@in...> wrote: >>>>>It seems that something isn't fully setup up correctly or there is >>>>>another bug/problem. >>>> >>>> To migrate the executable to the other VM, the program tries to >fetch >>>a VM from the VM pool. In this case, because we stated like that in >the >>>deployment >>>> guide there is only one sandbox (you can add as many as you want, >and >>>your system permits, creating more windows images and adding them in >>>vmpool.cfg). So, in theory, after running the application and once you >>>close the application in the Sandbox, the migration module running in >>>the sandbox VM should detect that the program was closed. After that, >it >>>sends a command to the decision module running in Dom0 and then the >>>decision module restarts the VM and put that available again in the VM >>>pool. We never tested with Windows shortcuts, so maybe that was the >>>problem. Somehow, the migration module did not detected that notepad >was >>>closed. Could you try again but always sending an executable? >>>> >>> >>> >>>OK, so sending the first executable worked fine. (notepad showed up on >>>the sandbox VM as expected) >>> >>>I then closed the sandbox VM and tried to send cmd.exe, but that led >>>to the same error as before. >>> >>>It seems that the network in the user VM is broken somehow. Can't ping >>>dom0, google... >>> >>>Attached is the screen shot of the UserVM (error) and here is the >>>command console log >>> >>>** (ie:22142): DEBUG: Initializing >>>** (ie:22142): DEBUG: Processing CONFIG group [DecisionModule] >>>** (ie:22142): DEBUG: Processing CONFIG group [UserVM] >>>** Message: Booting User VM: xm create "/etc/xen/UserVM.cfg" >>>Using config file "/etc/xen/UserVM.cfg". >>>Started domain UserVM >>>Setting Guest IP to '192.168.0.1' >>>Configuring bridge xenbr0 >>>** (ie:22142): DEBUG: [TIME] VMPool initialization begun at >>>1233074763.613652 >>>** (ie:22142): DEBUG: Processing CONFIG group 'Sandbox01' >>>** (ie:22142): DEBUG: Initializing Xen backend >>>** (ie:22142): DEBUG: Into vmpool_pool_init >>>** (ie:22142): DEBUG: vmpool_pool_init: uploading image 60A040 into vm >>>60D3D0 >>>** (ie:22142): DEBUG: Into vm_set_vm_status >>>** Message: [XEN backend]: Booting VM: xm create >>>"/etc/xen/Sandbox01.cfg" >>>Using config file "/etc/xen/Sandbox01.cfg". >>>Started domain Sandbox01 >>>** Message: [XEN backend]: Created new domain 25 >>>** Message: Invoking post boot program: >>>/usr/local/bin/vmpool-setup-network-xen-guest.sh 192.168.0.2 >>>Setting Guest IP to '192.168.0.2' >>>Configuring bridge xenbr0 >>>** Message: Using Boot Detector: '/usr/local/bin/vmpool-windetect -s 1 >>>-r 400 192.168.0.2' >>>** Message: Host 192.168.0.2 detected >>>** Message: [XEN backend]: Pausing VM: xm pause Sandbox01 >>>** (ie:22142): DEBUG: Into vm_set_vm_status >>>** (ie:22142): DEBUG: [TIME] Pool paused - Initialization completed at >>>1233074827.382199 >>>** (ie:22142): DEBUG: IP Interface starting >>>** (ie:22142): DEBUG: Socket 3 created >>>** (ie:22142): DEBUG: Socket 3 bound >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 3 flags 0 >>>** (ie:22142): DEBUG: Session accepted with socket 4 >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 4 flags 1 >>>** (ie:22142): DEBUG: count=61 >>>buffer=CMD=DELEGATE|APP=any|FILE=NOTEPAD.EXE|PATH=/home/delegator/| >>>** (ie:22142): DEBUG: Interface parser >>>** (ie:22142): DEBUG: Message: >>>CMD=DELEGATE|APP=any|FILE=NOTEPAD.EXE|PATH=/home/delegator/| >>>** (ie:22142): DEBUG: Delegate command handler >>>** (ie:22142): DEBUG: efilter_execute >>>** Message: any NOTEPAD.EXE /home/delegator/ >>>** (ie:22142): DEBUG: Into vmpool_pool_get_free_vm >>>** (ie:22142): DEBUG: Into vmpool_pool_find_vm_status >>>** (ie:22142): DEBUG: vmpool_pool_find_vm_status: Match on 60D3D0 >>>** (ie:22142): DEBUG: vmpool_pool_get_free_vm: item found 608570 >>>item_data 60D3D0 >>>** Message: [XEN backend]: Unpausing VM: xm unpause Sandbox01 >>>** (ie:22142): DEBUG: Into vm_set_vm_status >>>** (ie:22142): DEBUG: /usr/bin/scp -v -i /home/delegator/.ssh/id_rsa >>>/home/delegator/NOTEPAD.EXE delegator@192.168.0.2:/tmp >>>Executing: program /usr/bin/ssh host 192.168.0.2, user delegator, >>>command scp -v -t /tmp >>>OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 >>>debug1: Reading configuration data /etc/ssh/ssh_config >>>debug1: Applying options for * >>>debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22. >>>debug1: Connection established. >>>debug1: permanently_set_uid: 0/0 >>>debug1: identity file /home/delegator/.ssh/id_rsa type 1 >>>debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 >>>debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 >>>debug1: Remote protocol version 2.0, remote software version >OpenSSH_5.1 >>>debug1: match: OpenSSH_5.1 pat OpenSSH* >>>debug1: Enabling compatibility mode for protocol 2.0 >>>debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1 >>>debug1: SSH2_MSG_KEXINIT sent >>>debug1: SSH2_MSG_KEXINIT received >>>debug1: kex: server->client aes128-cbc hmac-md5 none >>>debug1: kex: client->server aes128-cbc hmac-md5 none >>>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent >>>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >>>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >>>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >>>debug1: Host '192.168.0.2' is known and matches the RSA host key. >>>debug1: Found key in /root/.ssh/known_hosts:9 >>>debug1: ssh_rsa_verify: signature correct >>>debug1: SSH2_MSG_NEWKEYS sent >>>debug1: expecting SSH2_MSG_NEWKEYS >>>debug1: SSH2_MSG_NEWKEYS received >>>debug1: SSH2_MSG_SERVICE_REQUEST sent >>>debug1: SSH2_MSG_SERVICE_ACCEPT received >>>debug1: Authentications that can continue: >>>publickey,password,keyboard-interactive >>>debug1: Next authentication method: publickey >>>debug1: Offering public key: /home/delegator/.ssh/id_rsa >>>debug1: Server accepts key: pkalg ssh-rsa blen 277 >>>debug1: read PEM private key done: type RSA >>>debug1: Authentication succeeded (publickey). >>>debug1: channel 0: new [client-session] >>>debug1: Requesting no-...@op... >>>debug1: Entering interactive session. >>>debug1: Sending environment. >>>debug1: Sending env LANG = en_US.UTF-8 >>>debug1: Sending command: scp -v -t /tmp >>>Sending file modes: C0644 69120 NOTEPAD.EXE >>>Sink: C0644 69120 NOTEPAD.EXE >>>NOTEPAD.EXE 100% 68KB 67.5KB/s >>>00:00 >>>debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 >>>debug1: channel 0: free: client-session, nchannels 1 >>>debug1: fd 0 clearing O_NONBLOCK >>>debug1: fd 1 clearing O_NONBLOCK >>>Transferred: sent 71600, received 2392 bytes, in 0.8 seconds >>>Bytes per second: sent 86331.3, received 2884.1 >>>debug1: Exit status 0 >>>** (ie:22142): DEBUG: Session sd=5 connected to 192.168.0.2:9999 with >>>flags 2 >>>** (ie:22142): DEBUG: efilter_if_send >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Message to send: >>>CMD=MIGRATED|APP=any|SRC=c:\\cygwin\\tmp\\NOTEPAD.EXE length 53 >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Adding socket 5 to fds >>>** (ie:22142): DEBUG: nfds = 6 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 5 flags 2 >>>** (ie:22142): DEBUG: count=8 buffer=CMD=ACK| >>>** (ie:22142): DEBUG: Interface parser >>>** (ie:22142): DEBUG: Message: CMD=ACK| >>>** Message: Command not recognized >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Adding socket 5 to fds >>>** (ie:22142): DEBUG: nfds = 6 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 5 flags 2 >>>** (ie:22142): DEBUG: count=15 buffer=CMD=ACK_RUN_OK| >>>** (ie:22142): DEBUG: Interface parser >>>** (ie:22142): DEBUG: Message: CMD=ACK_RUN_OK| >>>** (ie:22142): DEBUG: efilter_if_send >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Message to send: ACK_RUN_OK length 10 >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Adding socket 5 to fds >>>** (ie:22142): DEBUG: nfds = 6 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 5 flags 2 >>>** (ie:22142): DEBUG: Socket 5 closed >>>** (ie:22142): DEBUG: Connection with socket 5 closed. Session removed >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 4 flags 1 >>>** Message: Error reading data: >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>>** (ie:22142): DEBUG: Adding socket 4 to fds >>>** (ie:22142): DEBUG: nfds = 5 >>>** (ie:22142): DEBUG: Packet received >>>** (ie:22142): DEBUG: Reading the packet >>>** (ie:22142): DEBUG: Reading from socket 4 flags 1 >>>** (ie:22142): DEBUG: Socket 4 closed >>>** (ie:22142): DEBUG: Connection with socket 4 closed. Session removed >>>** (ie:22142): DEBUG: if_ip_send_pending >>>** (ie:22142): DEBUG: if_ip_send >>>** (ie:22142): DEBUG: if_ip_send session >>>** (ie:22142): DEBUG: Receive >>>** (ie:22142): DEBUG: Adding socket 3 to fds >>>** (ie:22142): DEBUG: nfds = 4 >>> >>> >>> >>>> Thanks, >>>> Pablo >>> >>>-- >>>Todd Deshane >>>http://todddeshane.net >>>http://runningxen.com >> > > > >-- >Todd Deshane >http://todddeshane.net >http://runningxen.com |
