guestrace

Ryan Johnson and Matt Shockley wrote guestrace as a prototype for a research project, and we have since packaged it as a stand-alone utility. A properly-configured guestrace will print as they occur the system calls which processes invoke within a Xen domain. This resembles strace, but provides the activity of every running process. The guestrace utility relies on libvmi to perform virtual-machine introspection. Guestrace can trace both Linux and Windows, and it requires no modifications to the target aside from running the target on Xen.

Guestrace also provides a library, libguestrace, which gives programmers access to the guestrace engine. This is useful for programs which must trace system calls and do more than merely print them.

Limitations

As an ongoing research project, guestrace presently has a few limitations in its implementation:

  • we have not yest tested any version of Windows other than Windows 7 Enterprise with Service Pack 1,
  • guestrace malfunctions when monitoring Windows running with more than 2 GB of memory (page sizes > 4 KB), and
  • guestrace supports only 64-bit guest operating systems.

We would be happy to consider any patches which remove these limitations, and we ourselves hope to address them when time permits.

Details

Please refer to guestrace's API documentation for details about how to use the library.

The guestrace project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/guestrace
	

My research interests include free and open source software, system security, and network security.