ProMoX: A Protocol Stack Monitoring Framework Elias Weingärtner, Christoph Terwelp, Klaus Wehrle Distributed Systems Group Chair of Computer Science IV RWTH Aachen University http://ds.cs.rwth-aachen.de 1
Introduction Protocol stack implementations Tight integration with operating system Often implemented in the kernel Proliferation of overlay services Not only applications, but also core services New protocols need to be implemented Strong need of adequate tools Investigation of faults & erroneous behavior Performance tuning and evaluation 2
How to monitor protocol implementations? Kernel-level debuggers Breakpoint based inspection of kernel level implementations Program and debugger executed in the same context RR0D Examples: KGDB, SoftICE, Syser, RR0D... Full-System Simulators (e.g. Simics) Full simulation of system hardware Highest degree of control High overhead Utilize system virtualization 3
ProMoX: Virtualization-based monitoring of protocol stacks 4
Virtualization based protocol stack monitoring Protocol stack implementations External Monitoring Based on a legacy OS Both established and new implementations supported System virtualization Executes implementation Isolation from control context External monitoring Observe system state from outside Transparency Overlay Application Overlay Transport Layer Network Layer Operating System Context Virtualization Environment Priviledged Control Context 5
ProMoX Protocol stack monitoring framework Aims at x86 protocol stack implementations Early research prototype (Fall 2008) Open source based Xen virtual machine monitor XenAccess introspection library Goal: Monitor protocol stack implementations Genuine operating system context Support for running and suspended systems PROMOX! 6
ProMox Architecture ProMox Monitoring Instance Look-up Table Application Overlay XenAccess Introspection Priviledged Control Domain Transport Layer Network Layer Guest Domain (paravirtualized / HVM) Control Interface Virtual Network Interface Virtual Memory Virtual CPU Xen Hypervisor CPU RAM Network Interface Storage Peripherals System Hardware 7
Xen Memory Adresses Virtual memory addresses 0 Pseudo-physical FFFFFFFF 0 Machine Memory Addresses FFFFFFFF Xen distinguishes between different adress types Machine memory addresses: physical RAM Pseudo-physical memory addresses: domains Virtual memory addresses: guest operating system XenAccess manages translation 8
Protocol state introspection using Xen 1. Look-up table gives virtual address of protocol state State descriptors marked as symbol Offsets handed over to ProMoX upon domain instantiation 2. Traverse guest system page table using XenAccess Multiple look-ups required Needs knowledge about guest system paging 3. Memory is mapped to domain 0 Efficient access to protocol state descriptors 4. Analysis of memory content Access mapped memory regions Parse memory content and write to log file 9
Performance Application to Linux 2.6 TCP/IP stack Congestion window size Internal structures (e.g. netdev) Look-up performance XenAccess maintains internal cache Reduces number of actual required look-ups HVM performance superior Sample Trace of CGWD Size Caching No Caching PV-Dom. 13µs 59 µs HVM-Dom 13µs 26µ s 10
Benefits and Limitations Advantages: Transparency Investigation barely noticable Side effects are reduced Efficient look-up for known state descriptor locations Hypervisors provide needed infrastructure Disadvantages Needs knowledge about OS memory management Difficult to apply to closed source systems How to deal with paging? 11
Conclusion Proof of concept implementation For external monitoring of protocol stack implementations Based on XenAccess Introspection library Good: Monitoring is transparent Also works for suspended systems Disadvantage: Requires knowledge about virtualized systems Future Work Further maturing, evaluation and testing More convenient marking of state descriptors for lookup System event-based triggering of logging Transmission of packets Custom system events 12
Thank you for your attention? Discussion 13
14