You can do it now if youd like, https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection
heres an example for windows guests, https://drakvuf.com/ It was discussed on the developers list, but this is high risk code that the developers would need to audit. if you do this, i would recommend passing memory to an analysis vm which only has permission to alert you to a problem. this would result in a delay and a performance hit, so not the same effect, but safer against any attack crafted against this mechanism from taking over your machine. i also hope your very good at writing fast, tight parsers. go is supposed to be fast and type safe. maybe it would be a good choice here. on a lighter scale, you can also use firejail within the vm, blacklist some stuff, and set a watch on its logfile to alert you. redhat based appvms can also do this with selinux. wont catch anything sophisticated enough to privilege escalate and stop the alert from happening, but also no danger to dom0. im glad vmware did this, for a long time, they only had a tool to dump memory snapshots (at least for fusion). not a real time running filter like this, but still fun. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25a5d88b-acbc-4733-b864-9f1f0645b6c3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
