Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest
|
|
- Julie McCarthy
- 5 years ago
- Views:
Transcription
1 Guarded Modules: Adap/vely Extending the VMM s Privileges Into the Guest Kyle C. Hale Peter Dinda Department of Electrical Engineering and Computer Science Northwestern University hip://halek.co hip://presciencelab.org hip://v3vee.org hip://xstack.sandia.gov/hobbes
2 Redefining the boundaries between VMM and guest OS Guest OS VMM 2
3 Redefining the boundaries between VMM and guest OS VMM VMM Guest OS VMM 3
4 We want to evolve the VMM- guest rela/onship where the interface between the two is more flexible and where parts of the VMM may actually live inside the guest The laier is the focus of this work 4
5 GEARS* Guest-context virtual service Guest VMM Virtual service * K. Hale, P. Dinda. Shi$ing Gears to Enable Guest- context Virtual Services, ICAC
6 Guest VMM Virtual service privileged operations 6
7 Guarded Module can still interact with guest Guest VMM Virtual service 7
8 How can we isolate and protect pieces of code in a guest OS that run at higher privilege than the rest of the guest? How can we allow legacy code con/nue to use guest func/onality? We show how with two examples 8
9 Palacios VMM OS- independent, embeddable VMM Support for mul/ple host OSes (Linux, KiIen LWK) Open source, available at hip://v3vee.org/palacios 9
10 Outline Mo/va/on Christoiza/on Threat Model and Run/me Invariants Run/me System and Border Crossings Examples Selec/vely Privileged PCI Passthrough Selec/vely Privileged MONITOR/MWAIT Conclusions 10
11 Guarded Module Transforma/on Christoization Linux Kernel Module Guarded Module guarded module compiler 11
12 Christoiza/on Compile- /me and link- /me wrapping we use gcc toolchain to instrument (wrap) all calls out of and into the module Christo and Jeanne- Claude wrap the Reichstag, Berlin,
13 The guest is not to be trusted We assume a threat model in which a malicious kernel wants to hijack a service s privilege Execu/on paths entering and leaving the guarded module must be checked 13
14 We maintain control flow integrity Christoiza/on allows VMM to trap all entries into and exits from module = privileged operation Guarded printk() Module Guest record environment VMM VMM validates the environment for unauthorized changes to execu/on path (e.g. return oriented aiacks) 14
15 We maintain control flow integrity Guarded Module return Guest Environment ok? Entry point valid? VMM = privileged operation 15
16 and code integrity Guarded Module write to module code Guest VMM = privileged operation 16
17 and data integrity private module data Guarded Module write to module data Guest VMM = privileged operation 17
18 What we don t provide Parameter checking Module cloaking Currently no support for interac/ons between guarded modules 18
19 Programmer s perspec/ve 1. Write a Linux kernel module (or use an exis/ng one) 2. Run it through our guarded module compiler (christoiza/on) 3. Op/onal: verify iden/fied module entry points 4. Pass to administrator, who registers guarded module with VMM at run/me 19
20 RECAP: Guarded Modules are guest context virtual services that can have elevated privilege, are protected from the untrusted guest that they run in, yet can s/ll use its func/onality The implementa/on is small: ~220 lines of Perl, ~260 lines of Ruby, and ~1000 lines of C (includes both the GM compila/on toolchain and run/me system) available online at hip://v3vee.org/palacios 20
21 Run/me: module entries/exits trap to the VMM We call these trapped events border crossings Privileged Border- out call Illegal ac/vity Border- out ret Border- in ret Unprivileged Border- in call 21
22 Wrapper stubs exit_wrapped: popq %r11 pushq %rax movq $border_out_call, %rax vmmcall popq %rax callq exit pushq %rax movq $border_in_ret, %rax vmmcall popq %rax pushq %r11 ret (to into guarded module) Trap to VMM, record environment Trap to VMM, Check integrity of environment 22
23 Guest Kernel Border der Crossin ngs Bor Border out Border in Guarded Module VMM Border Control State Machine Privileged VMM Access Privileged Hardware Access Hardware 23
24 Typical Border Crossing guarded module printk() return module_init() guest = privileged operation 24
25 Nested Border Crossings guarded module foo() bar() return callback() return return guest = privileged operation 25
26 Border Crossing from External Event guarded module guest iret interrupt = privileged operation 26
27 Experimental Setup Dell PowerEdge R415 2 sockets, 4 cores each => 8 total cores 2.2 GHz AMD Opteron GB memory Host kernel: Fedora 15 with Linux Guest: single vcore with Busybox environment, Linux
28 System- independent overhead is low Cycles Cost of any VM exit misc_exit_handle entry lookup misc_hcall lower/raise Border- out Call Border- in Ret Border- in Call Border- out Ret 28
29 but ensuring control- flow integrity is expensive Cycles Stack checking entry_lookup misc_exit_handle misc_hcall check priv lower/raise Border- out Call Border- in Ret Border- in Call Border- out Ret 29
30 Outline Mo/va/on Christoiza/on Threat Model and Run/me Invariants Run/me System and Border Crossings Examples Selec/vely Privileged PCI Passthrough Selec/vely Privileged MONITOR/MWAIT Related Work and Conclusions 30
31 We transformed a NIC driver into a guarded module guest VMM guarded module Broadcom BCM5716 1Gb/s no manual modifica/ons to NIC driver! 31
32 SelecFvely expose the PCI BARs to the guest guarded module 1 privileged mode guarded module 2 unprivileged mode r val w r w PCI I/O and memory BARs Hardware NIC 32
33 Bandwidth drops, but border crossing count is very high! Each border crossing is ~16,000 cycles (7.3 μs) Packet Sends Border- in 1.06 Border- out 1.06 Border Crossings / Packet Send 2.12 Packet Receives Border- in 4.64 Border- out 4.64 Border Crossings / Packet Receive 9.28 Many of these are leaf functions! 33
34 We implemented an adap/ve idle loop with selec/ve privilege MONITOR/MWAIT instruc/ons allow a CPU to go into a low- power state un/l a write occurs to a region of memory MONITOR [addr] MWAIT 34
35 VMs can t typically use these instruc/ons Puts physical core to sleep. Other VMs/processes on that core will starve But if the guest knows how many guests are on the machine (VMM state), we can let it run these instruc/ons when idling Can t let untrusted parts of guest hijack this capability! 35
36 Adap/ve mwait_idle() as a guarded module guest idle() mwait_idle() Other vcores present? no guarded module 36
37 zzz zzz vcore 0 mwait_idle() vcore 0 default_idle() idle loop redirec/on stub (guarded module) vcore 1 pcore 0 pcore 1 Scenario 1: a single vcore Scenario 2: vcores sharing a physical core 37
38 Guarded Modules as adapfve, guest- context virtual services We re leveraging VMM global informa/on about the environment That informa/on is only exposed to the guarded module this presents a new way to adapt VMs at run/me 38
39 Related Work Nooks isolate faulty code in kernel modules with wrappers. Kernel requires modifica/on, protec/ng guest from modules [Swit, SOSP 03] LXFI, SecVisor protect kernel against aiack with VMM- authorized code [Mao, SOSP 11], [Seshadri, SOSP 07] SIM guest- resident VMM code, but special- purpose, uses completely separate address space [Sharif, CCS 09] 39
40 Conclusions We ve shown the feasibility of adapfvely extending the VMM into the guest with guarded modules General technique to automa/cally transform kernel modules into guarded modules Two proof- of- concept examples: - Selec/ve Privilege for Commodity NIC driver - Selec/ve Privilege for MONITOR/MWAIT 40
41 Future Work Feasibility of automa/cally inlining leaf func/ons into modules (making them more self- contained) Further mo/va/ng examples for guarded modules Generaliza/on of guarded modules modules with VMM- controlled, specialized execu/on modes 41
42 We are rethinking system sotware interfaces This talk focused on virtualiza/on, but we re thinking bigger (HW/VMM/OS/app) It s /me to reconsider the structure of our system sotware stacks We can adapt sotware services, but can we adapt their organiza/on/structure? 42
43 For more info: Kyle C. Hale hip://halek.co hip://presciencelab.org hip://v3vee.org hip://xstack.sandia.gov/hobbes
Virtualization. Introduction. Why we interested? 11/28/15. Virtualiza5on provide an abstract environment to run applica5ons.
Virtualization Yifu Rong Introduction Virtualiza5on provide an abstract environment to run applica5ons. Virtualiza5on technologies have a long trail in the history of computer science. Why we interested?
More informationVMM Emulation of Intel Hardware Transactional Memory
VMM Emulation of Intel Hardware Transactional Memory Maciej Swiech, Kyle Hale, Peter Dinda Northwestern University V3VEE Project www.v3vee.org Hobbes Project 1 What will we talk about? We added the capability
More informationCSE 451: Operating Systems. Sec$on 2 Interrupts, system calls, and project 1
CSE 451: Operating Systems Sec$on 2 Interrupts, system calls, and project 1 Interrupts Ü Interrupt Ü Hardware interrupts caused by devices signaling CPU Ü Excep$on Ü Uninten$onal sobware interrupt Ü Ex:
More informationVirtualization, Xen and Denali
Virtualization, Xen and Denali Susmit Shannigrahi November 9, 2011 Susmit Shannigrahi () Virtualization, Xen and Denali November 9, 2011 1 / 70 Introduction Virtualization is the technology to allow two
More information2. RELATED WORK Adaptive or autonomic computing in virtualized computing environments is an area of considerable current interest and promise (e.g., [
Shifting GEARS to Enable Guest-context Virtual Services Kyle C. Hale Dept. of EECS Northwestern University Evanston, IL 60208 kh@u.northwestern.edu Lei Xia Dept. of EECS Northwestern University Evanston,
More informationVirtualization. Virtualization
Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine
More informationAutoscopy Jr.: Intrusion Detec3on for Embedded Control Systems
Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems Jason Reeves, Ashwin Ramaswamy, Michael Locasto, Sergey Bratus, and Sean Smith CSRS 2011 Dartmouth College September 24, 2011 1 Outline Mo3va3on
More informationHardware- assisted Virtualization
Hardware- assisted Virtualization Pra$k Shah (pcshah) Rohan Pa$l (rspa$l) 15-612 Opera,ng System Prac,cum Carnegie Mellon University 1 Agenda Introduc)on to VT- x CPU virtualiza)on with VT- x VMX VMX Transi$ons
More informationBackground. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW
Virtual Machines Background IBM sold expensive mainframes to large organiza
More informationBackground. IBM sold expensive mainframes to large organiza<ons. Monitor sits between one or more OSes and HW
Virtual Machines Background IBM sold expensive mainframes to large organiza
More informationOutline. Compiling process Linking libraries Common compiling op2ons Automa2ng the process
Compiling Programs Outline Compiling process Linking libraries Common compiling op2ons Automa2ng the process Program compilation Programmers usually writes code in high- level programming languages (e.g.
More informationEnabling Hybrid Parallel Runtimes Through Kernel and Virtualization Support. Kyle C. Hale and Peter Dinda
Enabling Hybrid Parallel Runtimes Through Kernel and Virtualization Support Kyle C. Hale and Peter Dinda Hybrid Runtimes the runtime IS the kernel runtime not limited to abstractions exposed by syscall
More informationSecure Server Project. Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek
Secure Server Project Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek 1 Outline I. Mo9va9on, Objec9ves II. Threat Landscape III. Design IV. Status V. Roadmap 2 Mo9va9on In a nutshell: Secure
More informationmore uml: sequence & use case diagrams
more uml: sequence & use case diagrams uses of uml as a sketch: very selec)ve informal and dynamic forward engineering: describe some concept you need to implement reverse engineering: explain how some
More informationCSE Opera+ng System Principles
CSE 30341 Opera+ng System Principles Lecture 3 Systems Structure Project 1 Intro CSE 30341 Opera+ng System Principles 2 1 Recap Last Lecture I/O Structure (I/O Interface, DMA) Storage and Memory Hierarchy
More informationG Xen and Nooks. Robert Grimm New York University
G22.3250-001 Xen and Nooks Robert Grimm New York University Agenda! Altogether now: The three questions! The (gory) details of Xen! We already covered Disco, so let s focus on the details! Nooks! The grand
More informationSFO17-403: Optimizing the Design and Implementation of KVM/ARM
SFO17-403: Optimizing the Design and Implementation of KVM/ARM Christoffer Dall connect.linaro.org Efficient, isolated duplicate of the real machine Popek and Golberg [Formal requirements for virtualizable
More informationNetworks and Opera/ng Systems Chapter 21: Virtual Machine Monitors ( )
Networks and Opera/ng Systems Chapter 21: Virtual Machine Monitors (252 0062 00) Donald Kossmann & Torsten Hoefler Frühjahrssemester 2013 Systems Group Department of Computer Science ETH Zürich Last /me:
More informationCS 61C: Great Ideas in Computer Architecture (Machine Structures) Lecture 32: Pipeline Parallelism 3
CS 61C: Great Ideas in Computer Architecture (Machine Structures) Lecture 32: Pipeline Parallelism 3 Instructor: Dan Garcia inst.eecs.berkeley.edu/~cs61c! Compu@ng in the News At a laboratory in São Paulo,
More informationEDAN65: Compilers, Lecture 13 Run;me systems for object- oriented languages. Görel Hedin Revised:
EDAN65: Compilers, Lecture 13 Run;me systems for object- oriented languages Görel Hedin Revised: 2014-10- 13 This lecture Regular expressions Context- free grammar ATribute grammar Lexical analyzer (scanner)
More informationAlterna(ve Architectures
Alterna(ve Architectures COMS W4118 Prof. Kaustubh R. Joshi krj@cs.columbia.edu hep://www.cs.columbia.edu/~krj/os References: Opera(ng Systems Concepts (9e), Linux Kernel Development, previous W4118s Copyright
More informationCS5460: Operating Systems
CS5460: Operating Systems Lecture 2: OS Hardware Interface (Chapter 2) Course web page: http://www.eng.utah.edu/~cs5460/ CADE lab: WEB L224 and L226 http://www.cade.utah.edu/ Projects will be on Linux
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationHow to use the BigDataBench simulator versions
How to use the BigDataBench simulator versions Zhen Jia Institute of Computing Technology, Chinese Academy of Sciences BigDataBench Tutorial MICRO 2014 Cambridge, UK INSTITUTE OF COMPUTING TECHNOLOGY Objec8ves
More informationOpera&ng Systems ECE344
Opera&ng Systems ECE344 Lecture 8: Paging Ding Yuan Lecture Overview Today we ll cover more paging mechanisms: Op&miza&ons Managing page tables (space) Efficient transla&ons (TLBs) (&me) Demand paged virtual
More informationXen and the Art of Virtualiza2on
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian PraF, Andrew Warfield University of Cambridge Computer Laboratory Kyle SchuF CS 5204 Virtualiza2on Abstrac2on
More informationVerifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)
1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s,
More informationW4118: interrupt and system call. Junfeng Yang
W4118: interrupt and system call Junfeng Yang Outline Motivation for protection Interrupt System call 2 Need for protection Kernel privileged, cannot trust user processes User processes may be malicious
More informationDifference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski
Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski What is Virtual machine monitor (VMM)? Guest OS Guest OS Guest OS Virtual machine
More informationTo EL2, and Beyond! connect.linaro.org. Optimizing the Design and Implementation of KVM/ARM
To EL2, and Beyond! Optimizing the Design and Implementation of KVM/ARM LEADING COLLABORATION IN THE ARM ECOSYSTEM Christoffer Dall Shih-Wei Li connect.linaro.org
More informationMachine- Level Representa2on: Procedure
Machine- Level Representa2on: Procedure CSCI 2021: Machine Architecture and Organiza2on Pen- Chung Yew Department Computer Science and Engineering University of Minnesota With Slides from Bryant, O Hallaron
More informationCOS 318: Operating Systems. Virtual Machine Monitors
COS 318: Operating Systems Virtual Machine Monitors Prof. Margaret Martonosi Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall11/cos318/ Announcements Project
More informationVirtualization. Dr. Yingwu Zhu
Virtualization Dr. Yingwu Zhu Virtualization Definition Framework or methodology of dividing the resources of a computer into multiple execution environments. Types Platform Virtualization: Simulate a
More informationThe Kernel Abstrac/on
The Kernel Abstrac/on Debugging as Engineering Much of your /me in this course will be spent debugging In industry, 50% of sobware dev is debugging Even more for kernel development How do you reduce /me
More informationSecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity
SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig Carnegie Mellon University Kernel rootkits Motivation Malware inserted into OS kernels Anti
More informationVirtualization. Pradipta De
Virtualization Pradipta De pradipta.de@sunykorea.ac.kr Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation
More informationA Userspace Packet Switch for Virtual Machines
SHRINKING THE HYPERVISOR ONE SUBSYSTEM AT A TIME A Userspace Packet Switch for Virtual Machines Julian Stecklina OS Group, TU Dresden jsteckli@os.inf.tu-dresden.de VEE 2014, Salt Lake City 1 Motivation
More informationModule 1: Virtualization. Types of Interfaces
Module 1: Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform
More informationBack To The Future: A Radical Insecure Design of KVM on ARM
Back To The Future: A Radical Insecure Design of KVM on ARM Abstract In ARM, there are certain instructions that generate exceptions. Such instructions are typically executed to request a service from
More informationVirtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Virtual Machines Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Today's Topics History and benefits of virtual machines Virtual machine technologies
More informationAdvanced branch predic.on algorithms. Ryan Gabrys Ilya Kolykhmatov
Advanced branch predic.on algorithms Ryan Gabrys Ilya Kolykhmatov Context Branches are frequent: 15-25 % A branch predictor allows the processor to specula.vely fetch and execute instruc.ons down the predicted
More informationPrac%cal Control Flow Integrity & Randomiza%on for Binary Executables
Prac%cal Control Flow Integrity & Randomiza%on for Binary Executables Chao Zhang Tao Wei Zhaofeng Chen Lei Duan Peking University Peking University UC Berkeley Peking University Peking University László
More informationVirtual Memory: Concepts
Virtual Memory: Concepts 5-23 / 8-23: Introduc=on to Computer Systems 6 th Lecture, Mar. 8, 24 Instructors: Anthony Rowe, Seth Goldstein, and Gregory Kesden Today VM Movaon and Address spaces ) VM as a
More informationVirtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization
Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.
More informationVirtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized
Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.
More informationVirtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
Virtual Machines Part 2: starting 19 years ago Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Operating Systems In Depth IX 2 Copyright 2018 Thomas W. Doeppner.
More informationAdvanced Systems Security: Virtual Machine Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationThis lecture. Virtual Memory. Virtual memory (VM) CS Instructor: Sanjeev Se(a
Virtual Memory Instructor: Sanjeev Se(a This lecture (VM) Overview and mo(va(on VM as tool for caching VM as tool for memory management VM as tool for memory protec(on Address transla(on 2 Virtual Memory
More informationIntel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com
More informationRDMA-like VirtIO Network Device for Palacios Virtual Machines
RDMA-like VirtIO Network Device for Palacios Virtual Machines Kevin Pedretti UNM ID: 101511969 CS-591 Special Topics in Virtualization May 10, 2012 Abstract This project developed an RDMA-like VirtIO network
More informationChapter 5 C. Virtual machines
Chapter 5 C Virtual machines Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple guests Avoids security and reliability problems Aids sharing
More informationImplementation and Analysis of Large Receive Offload in a Virtualized System
Implementation and Analysis of Large Receive Offload in a Virtualized System Takayuki Hatori and Hitoshi Oi The University of Aizu, Aizu Wakamatsu, JAPAN {s1110173,hitoshi}@u-aizu.ac.jp Abstract System
More informationPROTECTING VM REGISTER STATE WITH AMD SEV-ES DAVID KAPLAN LSS 2017
PROTECTING VM REGISTER STATE WITH AMD SEV-ES DAVID KAPLAN LSS 2017 BACKGROUND-- HARDWARE MEMORY ENCRYPTION AMD Secure Memory Encryption (SME) / AMD Secure Encrypted Virtualization (SEV) Hardware AES engine
More informationCS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University
Frequently asked questions from the previous class survey CS 370: OPERATING SYSTEMS [VIRTUALIZATION] Shrideep Pallickara Computer Science Colorado State University Difference between physical and logical
More informationDefeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationOperating Systems 4/27/2015
Virtualization inside the OS Operating Systems 24. Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view
More informationCS 550 Operating Systems Spring Introduction to Virtual Machines
CS 550 Operating Systems Spring 2018 Introduction to Virtual Machines 1 How to share a physical computer Operating systems allows multiple processes/applications to run simultaneously Via process/memory
More informationCSE 120 Principles of Operating Systems
CSE 120 Principles of Operating Systems Spring 2018 Lecture 16: Virtual Machine Monitors Geoffrey M. Voelker Virtual Machine Monitors 2 Virtual Machine Monitors Virtual Machine Monitors (VMMs) are a hot
More informationLive Migration of Direct-Access Devices. Live Migration
Live Migration of Direct-Access Devices Asim Kadav and Michael M. Swift University of Wisconsin - Madison Live Migration Migrating VM across different hosts without noticeable downtime Uses of Live Migration
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationSecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes
SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes Arvind Seshadri Mark Luk Ning Qu Adrian Perrig CyLab/CMU CyLab/CMU CyLab/CMU CyLab/CMU Pittsburgh, PA, USA Pittsburgh,
More informationSQLite with a Fine-Toothed Comb. John Regehr Trust-in-So1 / University of Utah
SQLite with a Fine-Toothed Comb John Regehr Trust-in-So1 / University of Utah Feasible states for a system we care about No execu
More informationElectrical Engineering and Computer Science Department
Electrical Engineering and Computer Science Department Technical Report Number: NU-EECS-16-03 March, 2016 Automatic Hybridization of Runtime Systems Kyle C. Hale, Conor Hetland, and Peter Dinda Abstract
More informationRISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas
RISCV with Sanctum Enclaves Victor Costan, Ilia Lebedev, Srini Devadas Today, privilege implies trust (1/3) If computing remotely, what is the TCB? Priviledge CPU HW Hypervisor trusted computing base OS
More informationFollow us on Twitter for important news and Compiling Programs
Follow us on Twitter for important news and updates: @ACCREVandy Compiling Programs Outline Compiling process Linking libraries Common compiling op2ons Automa2ng the process Program compilation Programmers
More informationHard Real-time Scheduling for Parallel Run-time Systems
Hard Real-time Scheduling for Parallel Run-time Systems Peter Dinda Xiaoyang Wang Jinghang Wang Chris Beauchene Conor Hetland Prescience Lab Department of EECS Northwestern University pdinda.org presciencelab.org
More informationThe Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36
The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware,
More informationOriginally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison
Virtualization Originally prepared by Lehigh graduate Greg Bosch; last modified April 2016 by B. Davison I. Introduction to Virtualization II. Virtual liances III. Benefits to Virtualization IV. Example
More informationLecture 2: Memory in C
CIS 330:! / / / / (_) / / / / _/_/ / / / / / \/ / /_/ / `/ \/ / / / _/_// / / / / /_ / /_/ / / / / /> < / /_/ / / / / /_/ / / / /_/ / / / / / \ /_/ /_/_/_/ _ \,_/_/ /_/\,_/ \ /_/ \ //_/ /_/ Lecture 2:
More informationVirtual Memory. Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University
Virtual Memory Lecture for CPSC 5155 Edward Bosworth, Ph.D. Computer Science Department Columbus State University Precise Definition of Virtual Memory Virtual memory is a mechanism for translating logical
More informationVirtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?
Virtual Machines To do q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm? *Partially based on notes from C. Waldspurger, VMware, 2010 and Arpaci-Dusseau s Three
More informationFast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names
Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency
More informationVirtual Machine Monitors (VMMs) are a hot topic in
CSE 120 Principles of Operating Systems Winter 2007 Lecture 16: Virtual Machine Monitors Keith Marzullo and Geoffrey M. Voelker Virtual Machine Monitors Virtual Machine Monitors (VMMs) are a hot topic
More informationBackground. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW
Virtual Machines Background IBM sold expensive mainframes to large organizations Some wanted to run different OSes at the same time (because applications were developed on old OSes) Solution: IBM developed
More informationARMlock: Hardware-based Fault Isolation for ARM
ARMlock: Hardware-based Fault Isolation for ARM Yajin Zhou, Xiaoguang Wang, Yue Chen, and Zhi Wang North Carolina State University Xi an Jiaotong University Florida State University Software is Complicated
More informationRack Disaggregation Using PCIe Networking
Ethernet-based Software Defined Network (SDN) Rack Disaggregation Using PCIe Networking Cloud Computing Research Center for Mobile Applications (CCMA) Industrial Technology Research Institute 雲端運算行動應用研究中心
More informationMo;va;on. Program Equivalence. Performance. Goal. More Pain, More Gain 10/27/15. Program Equivalence. (slides due to Rahul Sharma)
Mo;va;on Program Equivalence Verifica/on is specifica/on- limited We need specifica/ons to verifica/on And specifica/ons are hard to come by (slides due to Rahul Sharma) Much research focuses on well-
More informationProfiling & Tuning Applica1ons. CUDA Course July István Reguly
Profiling & Tuning Applica1ons CUDA Course July 21-25 István Reguly Introduc1on Why is my applica1on running slow? Work it out on paper Instrument code Profile it NVIDIA Visual Profiler Works with CUDA,
More informationCSE Opera*ng System Principles
CSE 30341 Opera*ng System Principles Overview/Introduc7on Syllabus Instructor: Chris*an Poellabauer (cpoellab@nd.edu) Course Mee*ngs TR 9:30 10:45 DeBartolo 101 TAs: Jian Yang, Josh Siva, Qiyu Zhi, Louis
More informationOperating System Kernels
Operating System Kernels Presenter: Saikat Guha Cornell University CS 614, Fall 2005 Operating Systems Initially, the OS was a run-time library Batch ( 55 65): Resident, spooled jobs Multiprogrammed (late
More informationIntroduc)on to Xeon Phi
Introduc)on to Xeon Phi ACES Aus)n, TX Dec. 04 2013 Kent Milfeld, Luke Wilson, John McCalpin, Lars Koesterke TACC What is it? Co- processor PCI Express card Stripped down Linux opera)ng system Dense, simplified
More informationConfinement (Running Untrusted Programs)
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs How to run untrusted programs and not harm your system? Answer: Confinement (some:mes called
More informationFast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names
Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency
More informationDesign Principles & Prac4ces
Design Principles & Prac4ces Robert France Robert B. France 1 Understanding complexity Accidental versus Essen4al complexity Essen%al complexity: Complexity that is inherent in the problem or the solu4on
More informationLinux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition
Linux and Xen Andrea Sarro andrea.sarro(at)quadrics.it Linux Kernel Hacking Free Course IV Edition Andrea Sarro (andrea.sarro(at)quadrics.it) Linux and Xen 07/05/2008 1 / 37 Introduction Xen and Virtualization
More informationSingle and mul,threaded processes
1 Single and mul,threaded processes Why threads? Express concurrency Web server (mul,ple requests), Browser (GUI + network I/O + rendering), most GUI programs for(;;) { struct request *req = get_request();
More informationVirtual machines are an interesting extension of the virtual-memory concept: not only do we give processes the illusion that they have all of memory
Virtual machines are an interesting extension of the virtual-memory concept: not only do we give processes the illusion that they have all of memory to themselves, but also we give them the illusion that
More informationXen and the Art of Virtualization
Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield Presented by Thomas DuBuisson Outline Motivation
More informationLecture 2: September 9
CMPSCI 377 Operating Systems Fall 2010 Lecture 2: September 9 Lecturer: Prashant Shenoy TA: Antony Partensky & Tim Wood 2.1 OS & Computer Architecture The operating system is the interface between a user
More informationSoK: A Study of Using Hardwareassisted. Environments for Security. Fengwei Zhang and Hongwei Zhang. Wayne State University Detroit, Michigan, USA
SoK: A Study of Using Hardwareassisted Isolated Execu
More informationVirtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
More informationLearning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels
Learning Outcomes Extended OS An appreciation that the abstract interface to the system can be at different levels. Virtual machine monitors (VMMs) provide a lowlevel interface An understanding of trap
More informationToday s Objec4ves. Data Center. Virtualiza4on Cloud Compu4ng Amazon Web Services. What did you think? 10/23/17. Oct 23, 2017 Sprenkle - CSCI325
Today s Objec4ves Virtualiza4on Cloud Compu4ng Amazon Web Services Oct 23, 2017 Sprenkle - CSCI325 1 Data Center What did you think? Oct 23, 2017 Sprenkle - CSCI325 2 1 10/23/17 Oct 23, 2017 Sprenkle -
More informationkguard++: Improving the Performance of kguard with Low-latency Code Inflation
kguard++: Improving the Performance of kguard with Low-latency Code Inflation Jordan P. Hendricks Brown University Abstract In this paper, we introduce low-latency code inflation for kguard, a GCC plugin
More informationCSSE232 Computer Architecture I. Datapath
CSSE232 Computer Architecture I Datapath Class Status Reading Sec;ons 4.1-3 Project Project group milestone assigned Indicate who you want to work with Indicate who you don t want to work with Due next
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationAMD Pacifica Virtualization Technology
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Virtualization Hypervisor-based
More informationShells and Processes. Bryce Boe 2012/08/08 CS32, Summer 2012 B
Shells and Processes Bryce Boe 2012/08/08 CS32, Summer 2012 B Outline Opera>ng Systems and Linux Review Shells Project 1 Part 1 Overview Processes Overview for Monday (Sor>ng Presenta>ons) OS Review Opera>ng
More informationSpring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand
Introduction to Virtual Machines Nima Honarmand Virtual Machines & Hypervisors Virtual Machine: an abstraction of a complete compute environment through the combined virtualization of the processor, memory,
More informationSystem Virtual Machines
System Virtual Machines Outline Need and genesis of system Virtual Machines Basic concepts User Interface and Appearance State Management Resource Control Bare Metal and Hosted Virtual Machines Co-designed
More information