Dear Hideki EIRAKU, Hi, Thank you for your response. However, this statements has been stated in "BitVisor: A Thin Hypervisor for Enforcing I/O Device Security" paper: "The guest OS of parapass-through hypervisors use the physical address space that is identical to the machine (real) physical address space. The hypervisor does not need to carry out address translations. This contributes to reducing the size of the hypervisor." "Hypervisors must hide their own memory regions from the guest OS so that the guest OS do not use them. BitVisor hooks the BIOS functions for obtaining the memory usage map (function e820h) to fake that the memory regions are reserved. " So we have concluded int0x15 would be the only mechanism for protecting Bitvisor memory area. Indeed, there is no address translation in gmm_pass_gp2hp() function, it just check whether the mentioned memory area is located in Bitvisor memory region or not and set the fakerom based on the result. Thanks again, <div class="gmail_quote">On Tue, Apr 5, 2011 at 2:40 PM, Hideki EIRAKU <<a href="mailto:hdk@igel.co.jp">hdk@igel.co.jp</a>> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hi, From: Nafise Sadat Moosavi <<a href="mailto:ns.moosavi@gmail.com">ns.moosavi@gmail.com</a>> Subject: [BitVisor-devel-en:7] Bitvisor memory protection Date: Sun, 3 Apr 2011 15:55:02 +0430 Message-ID: <<a href="mailto:BANLkTimak_mJC7G6Svcg1rEYbXdPvpLzag@mail.gmail.com">BANLkTimak_mJC7G6Svcg1rEYbXdPvpLzag@mail.gmail.com</a>> <div class="im"> > Dear Bitvisor developers, > > As stated in the first Bitvisor paper, Bitvisor uses Int0x15 for protecting > its memory from guest OS. However, there are manual way of probing memory > map instead of using BIOS int0x15, which are not recommended but still can > be used. </div>BitVisor hooks int0x15 to change the memory map, not to protect BitVisor's memory from the guest OS. The protection of memory is implemented in the gmm_pass_gp2hp() function, which is an address translator that translates guest-physical address to host-physical address. If the guest attempts to access an address in use by BitVisor, the address translater returns the physical address of a blank page with the read-only flag (fakerom) set. The shadow page table implementation calls panic() if the guest OS tries to modify a page with the read-only flag set. <div class="im"> > Assume a guest OS which contains a rootkit for detection and destruction of > Bitvisor. It can guess the memory area of Bitvisor by using int0x15 results > during Bitvisor presence and absence in the same system, and then it can use > manual ways of memory access (without using int0x15) for destruction of the > hypervisor in memory. > Can Bitvisor protect itself against such attacks? </div>Yes. The gmm_pass_gp2hp function will protect against this scenario as well. However, the protection works only if the access is performed by the CPU, not via DMA. -- Hideki EIRAKU <<a href="mailto:hdk@igel.co.jp">hdk@igel.co.jp</a>> </blockquote></div>