Virtualization

Palacios is an operating system independent virtual machine monitor targetting either IA32 or X86-64 architectures
Palacios
1. xia.pdf
2. non-paravirtualized
3. uses shadow paging in the virtual MMU model
4. is capable of booting an unmodified Linux distribution from either a physical hardware CD ROM drive, or a virtual CD ramdisk image.
5. 20 KLOC of C and assembly written from scratch
6. 10 KLOC of C and assembly to implement necessary basic virtual devices
7. Compiling Palacios generates a static library that can be linked to either 32 or 64 bit executables and operating systems.
  1. The DMM maintains a hooked I/O list, a list of I/O ports for which guest reads, writes, or both must be intercepted by the DMM.
8. Serial Port Debugging
9. ability to do source-level debugging with gdb when Palacios is run under QEMU
10. A modified version of the BOCHS BIOS and VGABIOS is used to bootstrap the guest OS
11. VPIO
  1. Main Component : DMM : Device Monitor Model : VT & SVN Support
    1. It intercepts device requests from the guest device driver, receives interrupts from physical devices and delivers them to guests, drives a internal device state model for each guest, and can determine whether the device can be handed off to another guest, and what host physical addresses a DMA operation will involve.
    2. List
      1. maintains an internal state-machine model for each guest, which keeps track of the current status (e.g, reusability, DMA operation started, etc) of the physical device as seen from the guest
      2. The unhooked I/O list are those ports which the model does not require; reads and writes to those ports are not intercepted by the DMM
    3. Targets
      1. whether the device is reusable
      2. whether a DMA is about to be initiated, and to where
      3. what device requests (e.g., I/O ports)
    4. Checking Function
      1. A checking function is called before a state transition occurs, and must approve the state transition. If state transition is denied, the device request fails, and no state transition occurs
      2. can change the hooked I/O list.
  2. Memory Map Not Supported
  3. DMA
    1. before DMA starts, the guest device driver must set it up, using device requests (I/O port reads/writes, currently)
  4. Device multiplexing
    1. The device model determines when a device is in a reusable state, and can be switched. If a guest attempts to performan operation on a device it does not currently hold, it is blocked until the device becomes available.
  5. Example
    1. NE2000
      1. It supportsDMA for sends and receives, including ring buffering
      2. DMM
      3. Device model for NE2000 NIC
QEMU
1. runs as a user application on top of Linux and provides virtual devices and an instruction emulator.
Vancouver
Case Studied
1. XED
2. BOCHS BIOS
3. VGABIOS
4. self-virtualized devices
5. shadow paging
6. L4Linux
7. TCB
  1. The trusted computing base (TCB) is everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures.
8. recursive address-space model of L4
9. Type Of Virtualization
  1. Full Virtualzation
    1. The full virtualization approach allows datacenters to run an unmodified guest operating system, thus maintaining the existing investments in operating systems and applications and providing a nondisruptive migration to virtualized environments. VMware uses a combination of direct execution and binary translation techniques to achieve full virtualization of an x86 system . http://www.vmware.com/pdf/asplos235_adams.pdf
  2. paravirtualization
    1. The full virtualization approach allows datacenters to run an unmodified guest operating system, thus maintaining the existing investments in operating systems and applications and providing a nondisruptive migration to virtualized environments. VMware uses a combination of direct execution and binary translation techniques to achieve full virtualization of an x86 system . http://www.vmware.com/pdf/asplos235_adams.pdf
  3. hardware virtualization support
10. Secure Co-Processor
Nova
1. steinberg_eurosys2010.pdf
2. Targets
  1. Fine-grained functional decomposition of the virtualization layer into a microhypervisor, root partition manager, multiple virtual-machine monitors, device drivers, and other system services.
  2. Enforcement of the principle of least privilege among all of these components.
3. We do not use paravirtualization in our system,
4. If desired, explicit hypercalls from an enlightened guest OS to the VMM are possible.
5. not to use binary translation
6. approximately 9000 lines of source code
7. Kernel Objects
  1. protection domains
    1. The memory space manages the page table
    2. the I/O space manages the I/O permission bitmap
    3. capability space controls access to kernel objects.
  2. execution contexts
    1. Execution contexts abstract from the differences between threads and virtual CPUs
  3. scheduling contexts
    1. implements a preemptive prioritydriven round-robin scheduler with one runqueue per CPU
  4. portals
    1. Communication between protection domains is governed by portals
  5. semaphores
8. Root Partition Manager
  1. The root partition manager performs the initial resource allocation decisions
9. VMM
  1. Vancouver
    1. emulates sensitive instructions and provides virtual devices.
    2. manages the guest-physical memory of its associated virtual machine by mapping a subset of its own address space into the host address space of the VM
    3. The VMM can also map any of its I/O ports and MMIO regions into the virtual machine to grant direct access to a hardware device
    4. Device Emulation
      1. The virtual-machine monitor provides virtual devices for its guest operating system.
      2. The virtual-machine monitor provides virtual devices for its guest operating system.
    5. BIOS Virtualization
      1. move the BIOS into the virtual-machine monitor, which facilitates direct access to the device models without expensive transitions between the virtual machine and the VMM.
    6. The different Vancouver instances communicate by IPC messages
10. Steps
  1. Topic
  2. If the Guest accesses an IO port, the CPU traps and signals the hypervisor (NOVA) of the #VmExit. The VMM obtains an IPC from Nova with the fault state and calls all virtual devices connected to a virtual bus. Each device registered to this bus has to decide if it handles the given address. When it does, it updates its internal state (set timer, modifying memory) and external behavior (triggering interrupts, changing device register). Device drivers a realized as a separate Task from the VMM. These drivers provide the back-ends for the virtual devices.
XEN
1. Domain Zero
  1. Xen uses a privileged “domain zero”, which hosts Linux as a service OS. Dom0 implements management functions and host device drivers with direct access to the platform hardware.
KVM
1. adds support for hardware virtualization to Linux and turns the Linux kernel with its device drivers into a hypervisor
2. relies on QEMU for implementing virtual devices and instruction emulation
3. management applications directly on top of the Linux hypervisor in user mode
4. Linux is part of the trusted computing base of KVM and increases the attack surface accordingly
VMware ESXi
Microsoft Hyper-V
1. Xenlike architecture with a hypervisor
SecVisor
Bitvisor
Overshadow
1. Topic
  1. overshadow-asplos08.pdf
2. protects the privacy and integrity of application data, even in the event of a total OS compromise
3. Last Works About Application Security
  1. protects the privacy and integrity of application data, even in the event of a total OS compromise
  2. protects the privacy and integrity of application data, even in the event of a total OS compromise
  3. Refactoring applications into more-critical and lesscritical pieces running in separate protection domains [8, 28] is ultimately a compelling goal.
it keeps the trusted computing base (TCB) small by running VMM and device drivers in user mode http://www.hypervisor.org/