VM and Debugger Infos

NTDEV
1

I’m trying to find some infos on VM and corresponding debugger
implementation…

Presently there are some debugger (automation tools ) that tries to find
common pitfalls on apps and/or kernel components. One application of this is
to give a ball-park-estimate of how badly written those components (
possibly for Buffer Overflow, stack smashing, Heap Overflow, patched code
and other sorts of holes … ). Now when it comes down to VM
implementation(s) ( as an example JMV, KVM, VMware, Connectix, Jim Bullden’s
ref HEC … ) it brings to a different level of complexity …

So I was trying to find any lucid and comprehesive articles on different
flavors of VM. I can vaguely understand what a VM is, and what it supposed
to do, but looking at a bit detail I see a zoo is waiting for me. For
example, there are studies that tries to explain why IA32 is not true sense
compatible architecture for real VM that we can trust !!

So the question is How useful would it(Intelligent Debugger) be from the
security tool/analysis point of view when VM is in place of conventional OS.

Would appreciate if anyone has a pointer to some comprehensive KB.

-pro

2

I can’t point you to a specific article, as I’m not sure that such a thing
exists. I can answer any specific questions that people have about
Microsoft’s VM technologies, much of which applies to code from Connectix,
which we bought.


Jake Oshins
Windows Kernel Group
Currently working as an Architect in the Windows Virtual Machine team.

This posting is provided “AS IS” with no warranties, and confers no rights.

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> I’m trying to find some infos on VM and corresponding debugger
> implementation…
>
> Presently there are some debugger (automation tools ) that tries to find
> common pitfalls on apps and/or kernel components. One application of this
> is
> to give a ball-park-estimate of how badly written those components (
> possibly for Buffer Overflow, stack smashing, Heap Overflow, patched code
> and other sorts of holes … ). Now when it comes down to VM
> implementation(s) ( as an example JMV, KVM, VMware, Connectix, Jim
> Bullden’s
> ref HEC … ) it brings to a different level of complexity …
>
> So I was trying to find any lucid and comprehesive articles on different
> flavors of VM. I can vaguely understand what a VM is, and what it supposed
> to do, but looking at a bit detail I see a zoo is waiting for me. For
> example, there are studies that tries to explain why IA32 is not true
> sense
> compatible architecture for real VM that we can trust !!
>
> So the question is How useful would it(Intelligent Debugger) be from the
> security tool/analysis point of view when VM is in place of conventional
> OS.
>
> Would appreciate if anyone has a pointer to some comprehensive KB.
>
> -pro
>
>
>
>

3

Hi Jake,

Thanks for the response. Sorry for typing on a tty!.

It might be remotely possible that I might eventually get involved in a batch of tools i mentioned. So my primary goal is to understand diffrent basic types of vitualizations, and of course MS windows related is first priority. MY MAIN CONCERN IS HOW USEFUL THOSE TOOLS ARE GOING TOBE, and that to a major extent depends on the type of virtualization winodws next genration going to take. SO FAR I AM ABLE TO GET HOLD OF SOME PAPERS THAT I NEED TO DIGEST FIRST …

So is(are) there any publicly available documents about Connectix’s implementation. Also I found the NGSCB papers, and that seem to be different from COnnectix. So the obvious question in mind is to have a familiarity of both of them !

As far as I know the tools ( w/o revealing anything here ) are quite good, and it might be a challenge to push out the door for others to use, and for us to make some … BUT IF WE SEE THE SCOPE IS NARROWING DO THIS VM-everywhere wave, we might need to step back and think again !!

-pro

4

Hi Jake,
Getting to my personal email thru tty (telnet ) is a really challenge :), so
could not articulate what I’m looking for.

Basically I’m trying to find, what would be the impact on such tools those
predicts ( after messaging binaries )about some flaws for possible holes.
P.S: I dont know much about those tools yet, but I do have a sense, what
they are set out to do. Now due to VM, I was wondering about the importance
of those tools and/or the mechnisms that might no longer be applicable once
VM takes a major role. As I understand, that most of the VM’s on the PC land
are along the line of virtual PC and VMware where the supposition is to run
multiple OSes ( host and guests ), so there I’m not wondering much, at least
now. But the point I was wondering about was that LongHorn and/or after, it
might be the whole process/threading might be under the rug of a sandbox or
lightweight vm. Sorry for being possibly nieve here. But the whole point
would boil down to HOW APPLICABEL THESE TOOLS ARE TO DAY, AND POSSIBLY BE IN
THE FUTURE… Am I paranoid ?. You bet !. I’ve seen so many obsolecence on
my own experiances that I have every reason to be …

But thankfully, I got quite a bit of materials, and a heads-up from a
document/presentation that cites your and other member’s name of kernel
team. It is from tokyo univ. SO I DO HAVE SOMETHING TO MUNCH ON FOR A WHILE
!

Finally I’m glad Tim Bernes did not go for his particle physics :-),
otherwise I would not have found those articles I’m looking for !!!

Thanks and Regards,
-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Jake Oshins
Sent: Tuesday, October 05, 2004 10:21 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] VM and Debugger Infos

I can’t point you to a specific article, as I’m not sure that such a thing
exists. I can answer any specific questions that people have about
Microsoft’s VM technologies, much of which applies to code from Connectix,
which we bought.


Jake Oshins
Windows Kernel Group
Currently working as an Architect in the Windows Virtual Machine team.

This posting is provided “AS IS” with no warranties, and confers no rights.

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> I’m trying to find some infos on VM and corresponding debugger
> implementation…
>
> Presently there are some debugger (automation tools ) that tries to find
> common pitfalls on apps and/or kernel components. One application of this
> is
> to give a ball-park-estimate of how badly written those components (
> possibly for Buffer Overflow, stack smashing, Heap Overflow, patched code
> and other sorts of holes … ). Now when it comes down to VM
> implementation(s) ( as an example JMV, KVM, VMware, Connectix, Jim
> Bullden’s
> ref HEC … ) it brings to a different level of complexity …
>
> So I was trying to find any lucid and comprehesive articles on different
> flavors of VM. I can vaguely understand what a VM is, and what it supposed
> to do, but looking at a bit detail I see a zoo is waiting for me. For
> example, there are studies that tries to explain why IA32 is not true
> sense
> compatible architecture for real VM that we can trust !!
>
> So the question is How useful would it(Intelligent Debugger) be from the
> security tool/analysis point of view when VM is in place of conventional
> OS.
>
> Would appreciate if anyone has a pointer to some comprehensive KB.
>
> -pro
>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

5

Honestly, your question is so scattered and convoluted that I can’t parse
it.

I think that you’re asking a few things:

  1. Are debugging tools valid when the target is a VM instead of a physical
    machine?
    Answer: Yes. They should be equivalent.
    Qualified answer: There are some things that are hard to virtualize with an
    x86 and you may see the underlying machine leak through the VM a little.
    And Windbg needs a little proding to work well through a named pipe rather
    than a serial port.

  2. Will Microsoft eventually employ VMs more widely.
    Answer: Yes. Though how it will do that is currently the topic of
    confidential debate.

  3. What is the relationship between processes, threads and VMs?
    Answer: In current versions of VirtualPC/Virtual Server, virtual processors
    are represented in the host OS as threads and they are scheduled by the host
    OS. Threads within a VM are scheduled by the guest OS.

  4. Is Microsoft planning on running current threads/processes in VMs, as an
    attempt to sandbox things, and how would tools (particularly debuggers) work
    with that?
    Answer: It’s not my place to comment on Microsoft’s future plans. I can
    say, however, that our current products don’t do this and our current
    debuggers can’t follow anything going across a VM boundary.


Jake Oshins
Windows Kernel Group

This posting is provided “AS IS” with no warranties, and confers no rights.

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> Hi Jake,
> Getting to my personal email thru tty (telnet ) is a really challenge :),
> so
> could not articulate what I’m looking for.
>
> Basically I’m trying to find, what would be the impact on such tools those
> predicts ( after messaging binaries )about some flaws for possible holes.
> P.S: I dont know much about those tools yet, but I do have a sense, what
> they are set out to do. Now due to VM, I was wondering about the
> importance
> of those tools and/or the mechnisms that might no longer be applicable
> once
> VM takes a major role. As I understand, that most of the VM’s on the PC
> land
> are along the line of virtual PC and VMware where the supposition is to
> run
> multiple OSes ( host and guests ), so there I’m not wondering much, at
> least
> now. But the point I was wondering about was that LongHorn and/or after,
> it
> might be the whole process/threading might be under the rug of a sandbox
> or
> lightweight vm. Sorry for being possibly nieve here. But the whole point
> would boil down to HOW APPLICABEL THESE TOOLS ARE TO DAY, AND POSSIBLY BE
> IN
> THE FUTURE… Am I paranoid ?. You bet !. I’ve seen so many obsolecence on
> my own experiances that I have every reason to be …
>
> But thankfully, I got quite a bit of materials, and a heads-up from a
> document/presentation that cites your and other member’s name of kernel
> team. It is from tokyo univ. SO I DO HAVE SOMETHING TO MUNCH ON FOR A
> WHILE
> !
>
> Finally I’m glad Tim Bernes did not go for his particle physics :-),
> otherwise I would not have found those articles I’m looking for !!!
>
> Thanks and Regards,
> -pro
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Jake Oshins
> Sent: Tuesday, October 05, 2004 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] VM and Debugger Infos
>
>
> I can’t point you to a specific article, as I’m not sure that such a thing
> exists. I can answer any specific questions that people have about
> Microsoft’s VM technologies, much of which applies to code from Connectix,
> which we bought.
>
> –
> Jake Oshins
> Windows Kernel Group
> Currently working as an Architect in the Windows Virtual Machine team.
>
> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>
>
> “Prokash Sinha” wrote in message news:xxxxx@ntdev…
>> I’m trying to find some infos on VM and corresponding debugger
>> implementation…
>>
>> Presently there are some debugger (automation tools ) that tries to find
>> common pitfalls on apps and/or kernel components. One application of this
>> is
>> to give a ball-park-estimate of how badly written those components (
>> possibly for Buffer Overflow, stack smashing, Heap Overflow, patched code
>> and other sorts of holes … ). Now when it comes down to VM
>> implementation(s) ( as an example JMV, KVM, VMware, Connectix, Jim
>> Bullden’s
>> ref HEC … ) it brings to a different level of complexity …
>>
>> So I was trying to find any lucid and comprehesive articles on different
>> flavors of VM. I can vaguely understand what a VM is, and what it
>> supposed
>> to do, but looking at a bit detail I see a zoo is waiting for me. For
>> example, there are studies that tries to explain why IA32 is not true
>> sense
>> compatible architecture for real VM that we can trust !!
>>
>> So the question is How useful would it(Intelligent Debugger) be from the
>> security tool/analysis point of view when VM is in place of conventional
>> OS.
>>
>> Would appreciate if anyone has a pointer to some comprehensive KB.
>>
>> -pro
>>
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>

6

Why don’t you pick a hypothetical operation that one of your tools might
need to do and then we can discuss that concretely. As it is, you don’t
leave me much to go on.


Jake Oshins
Windows Kernel Group

This posting is provided “AS IS” with no warranties, and confers no rights.

“Programmers Society Prokash Sinha” wrote in message
news:xxxxx@ntdev…
> Hi Jake,
>
> Thanks for the response. Sorry for typing on a tty!.
>
> It might be remotely possible that I might eventually get involved in a
> batch of tools i mentioned. So my primary goal is to understand diffrent
> basic types of vitualizations, and of course MS windows related is first
> priority. MY MAIN CONCERN IS HOW USEFUL THOSE TOOLS ARE GOING TOBE, and
> that to a major extent depends on the type of virtualization winodws next
> genration going to take. SO FAR I AM ABLE TO GET HOLD OF SOME PAPERS THAT
> I NEED TO DIGEST FIRST …
>
> So is(are) there any publicly available documents about Connectix’s
> implementation. Also I found the NGSCB papers, and that seem to be
> different from COnnectix. So the obvious question in mind is to have a
> familiarity of both of them !
>
> As far as I know the tools ( w/o revealing anything here ) are quite good,
> and it might be a challenge to push out the door for others to use, and
> for us to make some … BUT IF WE SEE THE SCOPE IS NARROWING DO THIS
> VM-everywhere wave, we might need to step back and think again !!
>
> -pro
>
>

7

I do agree it was scattered and convoluted.

You answered most of my convoluted question. And thanks, really.

Some random jotdown -

  1. I’m not very particularly thinking about debuggers, though an aspect of
    what I’m interested might have that part.
  2. I’m not really worried about VMclient/VMserver ( in the same machine ),
    but more of tightly integrated, so from the user’s point of view, they might
    no see anything, and the reason for it …
  3. I’m interested in estimating/analyzing flaws that can help worm/malicious
    code(s) to open inroads. This also extreemly debateable, and I dont know
    much about all the possiblities. But this has seen practical values. And
    might very well be unnecessary in the future, if by some magical reason, the
    amount of damage those badly written bonafied code makes by helping
    malicious codes are kept to a minimum. If by some possibly magical way,
    someone says well those are not capable to do damages ( data corruptions,
    and others … ) then that’s it for those tools. AS AN EXAMPLE, AND I COULD
    BE WRONG, THE NGSCB endavor did run thru a theorem-prover, and I would think
    that means that for debugging and rigorous proof convention debugger(windbg
    and its variants ) was not good enough for VMM testing, hence its importance
    shifts a bit. THESE ARE MY PERCEPTION AND VERY WELL BE WRONG…

So essentially those tools that would take binaries, massage, and whatever
…, then try to analyze, sure lot of false alarm may be, but …

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Jake Oshins
Sent: Wednesday, October 06, 2004 4:15 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] VM and Debugger Infos

Honestly, your question is so scattered and convoluted that I can’t parse
it.

I think that you’re asking a few things:

  1. Are debugging tools valid when the target is a VM instead of a physical
    machine?
    Answer: Yes. They should be equivalent.
    Qualified answer: There are some things that are hard to virtualize with an
    x86 and you may see the underlying machine leak through the VM a little.
    And Windbg needs a little proding to work well through a named pipe rather
    than a serial port.

  2. Will Microsoft eventually employ VMs more widely.
    Answer: Yes. Though how it will do that is currently the topic of
    confidential debate.

  3. What is the relationship between processes, threads and VMs?
    Answer: In current versions of VirtualPC/Virtual Server, virtual processors
    are represented in the host OS as threads and they are scheduled by the host
    OS. Threads within a VM are scheduled by the guest OS.

  4. Is Microsoft planning on running current threads/processes in VMs, as an
    attempt to sandbox things, and how would tools (particularly debuggers) work
    with that?
    Answer: It’s not my place to comment on Microsoft’s future plans. I can
    say, however, that our current products don’t do this and our current
    debuggers can’t follow anything going across a VM boundary.


Jake Oshins
Windows Kernel Group

This posting is provided “AS IS” with no warranties, and confers no rights.

“Prokash Sinha” wrote in message news:xxxxx@ntdev…
> Hi Jake,
> Getting to my personal email thru tty (telnet ) is a really challenge :),
> so
> could not articulate what I’m looking for.
>
> Basically I’m trying to find, what would be the impact on such tools those
> predicts ( after messaging binaries )about some flaws for possible holes.
> P.S: I dont know much about those tools yet, but I do have a sense, what
> they are set out to do. Now due to VM, I was wondering about the
> importance
> of those tools and/or the mechnisms that might no longer be applicable
> once
> VM takes a major role. As I understand, that most of the VM’s on the PC
> land
> are along the line of virtual PC and VMware where the supposition is to
> run
> multiple OSes ( host and guests ), so there I’m not wondering much, at
> least
> now. But the point I was wondering about was that LongHorn and/or after,
> it
> might be the whole process/threading might be under the rug of a sandbox
> or
> lightweight vm. Sorry for being possibly nieve here. But the whole point
> would boil down to HOW APPLICABEL THESE TOOLS ARE TO DAY, AND POSSIBLY BE
> IN
> THE FUTURE… Am I paranoid ?. You bet !. I’ve seen so many obsolecence on
> my own experiances that I have every reason to be …
>
> But thankfully, I got quite a bit of materials, and a heads-up from a
> document/presentation that cites your and other member’s name of kernel
> team. It is from tokyo univ. SO I DO HAVE SOMETHING TO MUNCH ON FOR A
> WHILE
> !
>
> Finally I’m glad Tim Bernes did not go for his particle physics :-),
> otherwise I would not have found those articles I’m looking for !!!
>
> Thanks and Regards,
> -pro
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Jake Oshins
> Sent: Tuesday, October 05, 2004 10:21 AM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] VM and Debugger Infos
>
>
> I can’t point you to a specific article, as I’m not sure that such a thing
> exists. I can answer any specific questions that people have about
> Microsoft’s VM technologies, much of which applies to code from Connectix,
> which we bought.
>
> –
> Jake Oshins
> Windows Kernel Group
> Currently working as an Architect in the Windows Virtual Machine team.
>
> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>
>
> “Prokash Sinha” wrote in message news:xxxxx@ntdev…
>> I’m trying to find some infos on VM and corresponding debugger
>> implementation…
>>
>> Presently there are some debugger (automation tools ) that tries to find
>> common pitfalls on apps and/or kernel components. One application of this
>> is
>> to give a ball-park-estimate of how badly written those components (
>> possibly for Buffer Overflow, stack smashing, Heap Overflow, patched code
>> and other sorts of holes … ). Now when it comes down to VM
>> implementation(s) ( as an example JMV, KVM, VMware, Connectix, Jim
>> Bullden’s
>> ref HEC … ) it brings to a different level of complexity …
>>
>> So I was trying to find any lucid and comprehesive articles on different
>> flavors of VM. I can vaguely understand what a VM is, and what it
>> supposed
>> to do, but looking at a bit detail I see a zoo is waiting for me. For
>> example, there are studies that tries to explain why IA32 is not true
>> sense
>> compatible architecture for real VM that we can trust !!
>>
>> So the question is How useful would it(Intelligent Debugger) be from the
>> security tool/analysis point of view when VM is in place of conventional
>> OS.
>>
>> Would appreciate if anyone has a pointer to some comprehensive KB.
>>
>> -pro
>>
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@garlic.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

8

I will leave this for an absorbing state, right now I’m on a transient state

Thanks much for the other note !

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Jake Oshins
Sent: Wednesday, October 06, 2004 4:17 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:VM and Debugger Infos

Why don’t you pick a hypothetical operation that one of your tools might
need to do and then we can discuss that concretely. As it is, you don’t
leave me much to go on.


Jake Oshins
Windows Kernel Group

This posting is provided “AS IS” with no warranties, and confers no rights.

“Programmers Society Prokash Sinha” wrote in message
news:xxxxx@ntdev…
> Hi Jake,
>
> Thanks for the response. Sorry for typing on a tty!.
>
> It might be remotely possible that I might eventually get involved in a
> batch of tools i mentioned. So my primary goal is to understand diffrent
> basic types of vitualizations, and of course MS windows related is first
> priority. MY MAIN CONCERN IS HOW USEFUL THOSE TOOLS ARE GOING TOBE, and
> that to a major extent depends on the type of virtualization winodws next
> genration going to take. SO FAR I AM ABLE TO GET HOLD OF SOME PAPERS THAT
> I NEED TO DIGEST FIRST …
>
> So is(are) there any publicly available documents about Connectix’s
> implementation. Also I found the NGSCB papers, and that seem to be
> different from COnnectix. So the obvious question in mind is to have a
> familiarity of both of them !
>
> As far as I know the tools ( w/o revealing anything here ) are quite good,
> and it might be a challenge to push out the door for others to use, and
> for us to make some … BUT IF WE SEE THE SCOPE IS NARROWING DO THIS
> VM-everywhere wave, we might need to step back and think again !!
>
> -pro
>
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com