james/turnstile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
james ecfebc243b initial commit
2026-01-16 00:23:23 +01:00
turnstile-ctl
initial commit
2026-01-16 00:23:23 +01:00
turnstile-guest
initial commit
2026-01-16 00:23:23 +01:00
xen-patch
initial commit
2026-01-16 00:23:23 +01:00
.gitignore
initial commit
2026-01-16 00:23:23 +01:00
build-xen-turnstile.sh
initial commit
2026-01-16 00:23:23 +01:00
readme.md
initial commit
2026-01-16 00:23:23 +01:00

readme.md

turnstile

hypervisor kernel integrity enforcement via ept/npt write interception for xen hvm guests

this leverages second level address translation fault handling to enforce write protection on guest kernel text and rodata segments. the hypervisor intercepts ept violations and npt faults targeting protected guest physical address ranges and applying configurable policy responses while maintaining implicit write grant detection for legitimate kernel self-modification patterns

it has overall 3 components:

  • a xen hypervisor patch implementing the violation detection and policy engine

  • a dom0 userspace controller for guest introspection and protection orchestration

  • an optional guest kernel module providing explicit hypercall-based write grant negotiation for livepatch compatibility

violation interception

write faults to protected gpas trigger vmexit with exit reason ept_violation or vmexit_npf. the turnstile hook in the vmexit handler extracts the faulting gpa, guest rip and cr3 and instruction bytes and then invoking the policy engine before delegating to the standard p2m fault handler

implicit detection

turnstile recognises legitimate kernel text modifications w/o explicit hypercall coordination:

  • 5 byte nop to call instruction patching at function prologues (0x0f 0x1f 0x44 0x00 0x00 -> 0xe8 rel32)
  • jump_label infrastructure modifications (nop -> jmp patching via __jump_table metadata)

detection works by correlating faulting addresses against uploaded symbol metadata

function entry points and jump_table entries are extracted from the vmlinux elf and adjusted for kaslr slide to enable implicit grant decisions w/o guest modification

explicit grants

for livepatch and other intentional kernel modifications the guest module issues turnstile_op_request_write hypercalls specifying gpa range and timeout

the hypervisor grants temporary write permission and logged and bounded by configurable expiry

kaslr handling

dom0 controller detects kaslr slide by scanning guest physical memory for the startup_64 instruction sequence where by pattern matching at 2mb aligned addresses from 0x1000000 to 0x40000000 locates the kernel text physical base so that the runtime slides as delta from the vmlinux link time addresses

build

hv

./build-xen-turnstile.sh hypervisor

note: requires standard xen build deps + dev86 from aur on arch (which is what i wrote this on, specifically i3)

dom0

cd turnstile-ctl
cargo build --release

optional disassembly support fromiced-x86:

cargo build --release --features disasm

guest

cd turnstile-guest
make
insmod turnstile_guest.ko

usage

protect

turnstile-ctl protect <domid> /path/to/vmlinux

extracts kernel layout and detects kaslr along w/ uploads metadata and configuring protected ranges/sets audit policy

violations

turnstile-ctl monitor <domid> /path/to/vmlinux --interval-ms 50

polls violation ring buffer and resolves addresses to symbols to display instruction bytes

policy

turnstile-ctl policy <domid> enforce
turnstile-ctl policy <domid> audit
turnstile-ctl policy <domid> disabled

statistics

turnstile-ctl stats <domid>
Reference in New Issue View Git Blame Copy Permalink
Description
hypervisor kernel integrity enforcement via ept/npt write interception for xen hvm guests
Readme 52 KiB
Languages
Rust 47.1%
C 37.1%
Shell 15.5%
Makefile 0.3%