CprE 450-550

Virtualization

Dr. Yong Guan

Department of Electrical and Computer Engineering& Information Assurance CenterIowa State University

CprE 450-550

Outline for Today’s TalkIntroductionVirtualization TechnologyApplications

CprE 450-550

Readings for Today’s LectureReferences

Online ResourcesVMWare, Xen, etc.

CprE 450-550

What is it?“Virtualization is an abstraction layer that decouples the physical hardware from the operating system to deliver greater IT resource utilization and flexibility.”

–www.vmware.com

Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments

CprE 450-550

The Rise and Fall of Virtual Machines-- 1970s: Looks like a good idea --

IBM VM/370 – A VMM for IBM mainframesMultiplex multiple OS environments on expensive hardwareDesirable when few machine around

Popular idea in the 1960s and 1970sEntire conferences on virtual machines

-- 1980s: Looks like a dumb idea --Hardware got cheap but wimpy

VMM neither desirable nor possible.

IBM kills VM/CMS in favor of MVSMulti-user OS is better than N single-user + VMM

CprE 450-550

The Rise and Fall of Virtual Machines-- 1990s: Looks like a good idea again--

Define an abstract machine specification – A Virtual MachineTypically emulate machine within an OS processExample: p-System, JAVA, Microsoft CLR

Market it as better than real machinesFast development timeWrite once, run everywhereType and memory safetyFewer bugs, better security, etc.

Popular ideas in the 2000sEntire conferences on virtual machines

CprE 450-550

The Rise and Fall of Virtual Machines-- 2000s: still a good idea --

Squeeze in between OS and applicationsDone at libraries or system call interfaceEach application or set of apps run in a virtual machineExample: WINE

Into the operating systemExample: KVM, VirtualBox, User Mode Linux

Between hardware and OSExample: VMware ESX Server, Xen

Into hardwareExample Intel VT-x Technology / AMD Pacifica

CprE 450-550

HARDWARE

KERNEL

USER LEVEL LIBRARIES

APPLICATIONS

API Calls

System Calls

Instructions

User Space

Kernel Space

Sounds Familiar?

Log

Different Types of Virtual MachinesModern computer systems are composed of various hardware and software layers

CprE 450-550

All benefit from the “level of indirection”All problems can be solved by a level of indirectionUse the layer to improve the software running in the VM.

“Every problem in computer science can be solved by adding another level of  indirection” 

‐‐ Butler Lampson

Commonality Across Virtual Machines

CprE 450-550

Common Virtual Machine AttributesIsolation

Total data isolation between virtual machines

EncapsulationVirtual machines are not tied to physical machinesCheckpoint/Migration

Software compatibilityRuns pretty much all softwareTrick: Make virtual hardware match real hardware

PerformanceAny new software layer adds overhead to system

CprE 450-550

Isolation CapabilityClaim: VMs should not be able to get out of the sandbox to attack other VMs or virtualization software layer.

VMM controls what resources are accessible to each VM.VMs can be isolated and requests vetted.

Policy-based access control.

Key: Use HW protection mechanisms to isolate VMsNew VMX modeProtection ringsMMU protection bits…

CprE 450-550

VM Isolation CapabilityEscape?

Assurance dependent on the implementationSize/complexity of interface.

Compare hardware interface vs. win32 system callFeatures of VMs

Isolation comparable to separate physical machinesHandle accidents (e.g. software bugs)Malicious attacks (e.g. hackers)

CprE 450-550

Encapsulation CapabilityHave ability to manipulate and control software in VM

Save execution stateTransfer VM over networksAffect the inputs/outputs to the software running in VM

Manage VM execution on machinesProvisioning, load balancing, high availability, etc.Examples: Java, VMware ESX Server

Decoupling of software from hardwareVirtualization layer controls mapping

Treat software in VM as first class object

CprE 450-550

Software CompatibilityVM will run all the software that target itLower-level VMs have advantages here

Hardware-level VMMAll software (app & OS) written for hardware.

ParavirtualizationAll applications for the ported OSes.

OS-level VMAll applications for that OS/hardware combination

Application-level VMAll applications for that OS/hardware combination

Language-level VMPrograms compiled to the byte code

CprE 450-550

VM Software CompatibilityKey: Make virtual machine abstraction match real HW

All software that runs on real HW runs in VM

Example: VMware™’s products runDOS, Win 3.1,95,98,NT,2000,ME,XP,2003, Vista, Linux, FreeBSD, etc.

Most compatible of application compatibility solutionsHardware interface: tractable complexity, slow rate of change

Example: PC98, PC99, ...

OS API interface: intractable complexity, rapid changeExample: Win32 API

CprE 450-550

VM Low Overhead/High PerformanceKey: Configure HW to directly run Virtual Machines

Use CPU to emulate a virtual CPUUse real physical memory to emulate virtual physical memoryEmulate a disk with a disk, etc.

Trick from 1960s:Configure hardware to safely give it to virtual machineVMM gets control on any privileged operation

Virtual machine runs within a few percent of native

CprE 450-550

Hardware Level VirtualizationVirtualization is supported by the real hardware

ExamplesIntel VT-x (Vanderpool) technologyAMD Pacifica

Why hardware support?

CprE 450-550

Different Types of Virtual MachinesVirtualization inserts a software layer (VMM) at different points in this architecture:

Hardware-level virtualizationOperating system-level virtualization

Type 1 VM vs. Type 2 VMApplication-level virtualizationHigh-level language virtual machines

CprE 450-550

HARDWARE

KERNEL

USER LEVEL LIBRARIES

APPLICATIONS

API Calls

System Calls

Instructions

User Space

Kernel Space

Different Types of Virtual Machines

CprE 450-550

Intel VT-X OverviewEnhances the performance of VMs through hardware support

Main FeatureThe inclusion of the new VMX mode of operation

VMX root operationFully privileged, intended for VM monitor New instructions – VMX instructions

VMX non-root operationNot fully privileged, intended for guest softwareReduces Guest SW privilege w/o relying on rings

CprE 450-550

IA-32Operation Ring 0

Ring 3VMX RootOperation

VMX Non-rootOperation

. . .Ring 0

Ring 3

VM 1

Ring 0

Ring 3

VM 2

Ring 0

Ring 3

VM n

VMXONVMLAUNCHVMRESUME

VM Exit VMCS2

VMCSn

VMCS1

VMMOS

Processes

PCB

VT-x Operations

CprE 450-550

Virtual Machine Control Structure (VMCS)Control Structures in Memory

Only one VMCS active per virtual processor at any given time

Maintenance of state informationMajor source of overhead in a software-based solutionHardware implementation takes over the tasks of loading and unloading the state from their physical locations.

CprE 450-550

Operating System Level VirtualizationVirtualization is emulated at the operating system layer

Two possible positionsType 1 VM Native VM

Between hardware and OSType 2 VM Hosted VM

Between OS and application programs

CprE 450-550

Virtual Machine Monitor (VMM)

Guest OS 1 Guest OS 2

Hardware

Type 1 VMM

Virtual Machine Monitor (VMM)

Guest OS 1 Guest OS 2

Hardware

Host OS

Type 2 VMM

Guest OS 2Guest OS 2

VMware ESX Server, XenVMware Workstation, VMware GSX Server,

Virtual PC User Mode Linux

Operating System Level Virtualization

CprE 450-550

MemorynicnicNICdiskCPU

ConsoleOS

GuestOS

GuestOS

GuestOS

GuestOS

Scheduler MemoryMgmt

SCSIDriver

EthernetDriver

VMM

Multiplex hardware resources efficiently among virtual machines

Runs unmodified binaries w/ performance isolation

Manage system hardware directly

Provides complete control over resource management

Binary Translation

VMware ESX Server

CprE 450-550

Inspects each instruction before it is executedReplaces “dangerous” instructions with calls to emulation codeStores sequences of translated instructions in a translation cacheFast, but slower than direct execution

Return to VMDirectExec. OK?

Direct Execution

Binary Translation

EmulatedPrivilegedInstruction

CPU State

VMware Binary Translation

CprE 450-550

Multiplex physical resources at the granularity of an entireOS.

Runs unmodified binaries w/ performance isolation.100 hosted OS instances

But: GuestOS has to be modified !

Para-Virtualization

Xen Overview

CprE 450-550

Xen ParavirtualizationArch xen/x86 – like x86, but replace privileged instructions with Xen hypercalls

Avoids binary rewriting and fault trapping For Linux 2.6, only arch-dep files modified

Modify OS to understand virtualised env.Wall-clock time vs. virtual processor time

Xen provides both types of alarm timerExpose real resource availability

Enables OS to optimise behaviour

CprE 450-550

Provides a self-contained environment

Identical as hosting Linux kernelProcesses have no access to host resources that were not explicitly provided

Host OS Kernel

Guest OS Kernel/UML

VM User Process 1

ptrace

VM User Process 2

Virtual Machine

System Call Interception

User Mode Linux Overview

CprE 450-550

Guest OS Applications

Guest Operating System

Host OS Apps

Host OS

PC HardwareDisks Memory CPUNIC

VMApp Virtual Machine

VMDriver VMM

Hosted VM architectureVMApp: User-level application on host OSVMDriver: Device driver inside host OS

Facilitates the transfer of control between the two worldsVMM: Privileged virtual machine monitor

Binary Translation

VMware Workstation Overview

CprE 450-550

Host OS

PC HardwarePhysical NIC

VMApp

VMDriver

Guest OS

VMM

Phy

sica

l Eth

erne

t

NIC Driver

NIC Driver

Virtual Bridge

Virtual Network Hub

Virtualizing a Network Interface

CprE 450-550

VMware Workstation Screenshot

CprE 450-550

Application Level VirtualizationTechnologies

API interception through DLL injection and API hookingPartial/complete implementation of APIsEmulate low level kernel implementations in user-space

Useful when the host OS does not provide required support (e.g. Win32 threads vs. pthreads)Mandatory drivers

ExamplesWINE: Win32 API implementation on UnixPOSIX, OS/2 subsystems on Windows

Supports Unix and OS/2 like APILxRun: Linux API implementation on SCO UnixWare, Solaris

CprE 450-550

Closely follows NTImplements all the “core” DLLs (ntdll, user32, kernel32)

Wine server provides the NT backbone

Message passingSynchronizationObject handles

Native DLL support for non-core librariesHardware access through Unix device drivers

API Interception

Wine Architecture

CprE 450-550

The virtualization layer sits as an application program on top of the operating system

Can run any programs written for that virtual machine abstraction regardless of the operating system hosting that virtual machine

Real Machine

OS

JVM

Java Byte Code

Applications

Interpreted Execution

Language Level Virtualization

CprE 450-550

Questions?

Thanks and See you next time

CprE 450-550

ApplicationsIsolation

Sandboxing Debugging/TestingSecurity Experiments (e.g., honeypots)

EncapsulationManageability

Migration/MobilityVirtual Appliance

PartitionServer/Application Consolidation

CprE 450-550

Examplar Application: VM-based IDSProblem Area: Intrusion Detection Systems (IDS).Trade-offs

Host-based IDS (HIDS): + Good visibility to catch intruder.- Weak isolation from intruder disabling/masking IDS.

Network-based IDS (NIDS):+ Good isolation from attack from intruder. Weak visibility can allow intruder to slip by unnoticed.

Would like visibility of HIDS with isolation of NIDS.Idea: Do it in the virtual machine monitor.

CprE 450-550

VM-based IDSStrong isolation

VMM isolate software in VM from VMMCompromised OS in VM can’t disable IDS in VMM

Introspection – Peer inside at software running in VMVMM can see

Physical memory, registers, I/O device state, etc.

Signature scan of memoryLook through physical memory for patterns or signs of break-in

Interposition – Modify VM abstraction to enhance securityMemory Access Enforcer

Interpose on page protection

NIC Access EnforcerInterpose on virtual network device

CprE 450-550

Control

hardware

host OS

guest OS

applicationIDS

engineState

Policy modules

Intrusionsdetected

VMM

application

VM-based Introspection

CprE 450-550

Questions?

Thanks and See you next time