CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Similar documents
Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Module 1: Virtualization. Types of Interfaces

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Operating Systems 4/27/2015

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

WoW. CS Summer Handout #26: Virtual Machines. What If? Review: What is an OS? One way: Complete Machine Simulation

Lecture 5: February 3

CSE543 - Computer and Network Security Module: Virtualization

Virtualization and memory hierarchy

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

CSC 5930/9010 Cloud S & P: Virtualization

Virtualization. Pradipta De

Virtualization. Dr. Yingwu Zhu

Distributed Systems COMP 212. Lecture 18 Othon Michail

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

CSE543 - Computer and Network Security Module: Virtualization

references Virtualization services Topics Virtualization

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

Xen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila

Nested Virtualization and Server Consolidation

Virtual Machine Security

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

CSE543 - Computer and Network Security Module: Virtualization

Virtual Machine Monitors!

Chapter 5 C. Virtual machines

Virtualization. Virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Advanced Operating Systems (CS 202) Virtualization

CSE 120 Principles of Operating Systems

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

COS 318: Operating Systems. Virtual Machine Monitors

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

Introduction to Virtualization

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

Multiprocessor Scheduling. Multiprocessor Scheduling

LINUX Virtualization. Running other code under LINUX

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

NON SCHOLAE, SED VITAE

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

EE 660: Computer Architecture Cloud Architecture: Virtualization

Cloud Computing Virtualization

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks


Virtual Machine Monitors (VMMs) are a hot topic in

CHAPTER 16 - VIRTUAL MACHINES

CS370 Operating Systems

1 Virtualization Recap

The Future of Virtualization

Virtualization. join, aggregation, concatenation, array, N 1 ühendamine, agregeerimine, konkateneerimine, massiiv

LIA. Large Installation Administration. Virtualization

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

Virtualization, Xen and Denali

Making Nested Virtualization Real by Using Hardware Virtualization Features

Virtual Leverage: Server Consolidation in Open Source Environments. Margaret Lewis Commercial Software Strategist AMD

Virtualization. Adam Belay

A Survey on Virtualization Technologies

Introduction to Virtual Machines. Carl Waldspurger (SB SM 89 PhD 95) VMware R&D

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

The only open-source type-1 hypervisor

Virtualization Overview

COSC6376 Cloud Computing Lecture 14: CPU and I/O Virtualization

Performance Aspects of x86 Virtualization

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSCE 410/611: Virtualization!

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

Virtualization. Application Application Application. MCSN - N. Tonellotto - Distributed Enabling Platforms OPERATING SYSTEM OPERATING SYSTEM

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.

COS 318: Operating Systems

Virtualisation: The KVM Way. Amit Shah

I/O and virtualization

INNOV-4: Fun With Virtualization. Or, How I learned to love computers that don t really exist...

COS 318: Operating Systems

CSCE 410/611: Virtualization

Xen and the Art of Virtualization

Micro VMMs and Nested Virtualization

Virtualization with XEN. Trusted Computing CS599 Spring 2007 Arun Viswanathan University of Southern California

An overview of virtual machine architecture

System Virtual Machines

Virtual Machine Systems


The Slide does not contain all the information and cannot be treated as a study material for Operating System. Please refer the text book for exams.

Security Architecture

Xen and the Art of Virtualization. CSE-291 (Cloud Computing) Fall 2016

Concepts. Virtualization

Advanced Systems Security: Virtual Machine Systems

CS 550 Operating Systems Spring Introduction to Virtual Machines

W11 Hyper-V security. Jesper Krogh.

Virtualization Introduction

Virtualization. Part 1 Concepts & XEN

W4118: virtual machines

Transcription:

Virtualization Dr. Yong Guan Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Outline for Today s Talk Introduction Virtualization Technology Applications

Readings for Today s Lecture References Online Resources VMWare, Xen, etc.

What is it? Virtualization is an abstraction layer that decouples the physical hardware from the operating system to deliver greater IT resource utilization and flexibility. www.vmware.com Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments

The Rise and Fall of Virtual Machines -- 1970s: Looks like a good idea -- IBM VM/370 A VMM for IBM mainframes Multiplex multiple OS environments on expensive hardware Desirable when few machine around Popular idea in the 1960s and 1970s Entire conferences on virtual machines -- 1980s: Looks like a dumb idea -- Hardware got cheap but wimpy VMM neither desirable nor possible. IBM kills VM/CMS in favor of MVS Multi-user OS is better than N single-user + VMM

The Rise and Fall of Virtual Machines -- 1990s: Looks like a good idea again-- Define an abstract machine specification A Virtual Machine Typically emulate machine within an OS process Example: p-system, JAVA, Microsoft CLR Market it as better than real machines Fast development time Write once, run everywhere Type and memory safety Fewer bugs, better security, etc. Popular ideas in the 2000s Entire conferences on virtual machines

The Rise and Fall of Virtual Machines -- 2000s: still a good idea -- Squeeze in between OS and applications Done at libraries or system call interface Each application or set of apps run in a virtual machine Example: WINE Into the operating system Example: KVM, VirtualBox, User Mode Linux Between hardware and OS Example: VMware ESX Server, Xen Into hardware Example Intel VT-x Technology / AMD Pacifica

Different Types of Virtual Machines Modern computer systems are composed of various hardware and software layers APPLICATIONS API Calls USER LEVEL LIBRARIES System Calls KERNEL Instructions HARDWARE User Space Kernel Space Log Sounds Familiar?

Commonality Across Virtual Machines All benefit from the level of indirection All problems can be solved by a level of indirection Use the layer to improve the software running in the VM. Every problem in computer science can be solved by adding another level of indirection Butler Lampson

Common Virtual Machine Attributes Isolation Total data isolation between virtual machines Encapsulation Virtual machines are not tied to physical machines Checkpoint/Migration Software compatibility Runs pretty much all software Trick: Make virtual hardware match real hardware Performance Any new software layer adds overhead to system

Isolation Capability Claim: VMs should not be able to get out of the sandbox to attack other VMs or virtualization software layer. VMM controls what resources are accessible to each VM. VMs can be isolated and requests vetted. Policy-based access control. Key: Use HW protection mechanisms to isolate VMs New VMX mode Protection rings MMU protection bits

VM Isolation Capability Escape? Assurance dependent on the implementation Size/complexity of interface. Compare hardware interface vs. win32 system call Features of VMs Isolation comparable to separate physical machines Handle accidents (e.g. software bugs) Malicious attacks (e.g. hackers)

Encapsulation Capability Have ability to manipulate and control software in VM Save execution state Transfer VM over networks Affect the inputs/outputs to the software running in VM Manage VM execution on machines Provisioning, load balancing, high availability, etc. Examples: Java, VMware ESX Server Decoupling of software from hardware Virtualization layer controls mapping Treat software in VM as first class object

Software Compatibility VM will run all the software that target it Lower-level VMs have advantages here Hardware-level VMM All software (app & OS) written for hardware. Paravirtualization All applications for the ported OSes. OS-level VM All applications for that OS/hardware combination Application-level VM All applications for that OS/hardware combination Language-level VM Programs compiled to the byte code

VM Software Compatibility Key: Make virtual machine abstraction match real HW All software that runs on real HW runs in VM Example: VMware s products run DOS, Win 3.1,95,98,NT,2000,ME,XP,2003, Vista, Linux, FreeBSD, etc. Most compatible of application compatibility solutions Hardware interface: tractable complexity, slow rate of change Example: PC98, PC99,... OS API interface: intractable complexity, rapid change Example: Win32 API

VM Low Overhead/High Performance Key: Configure HW to directly run Virtual Machines Use CPU to emulate a virtual CPU Use real physical memory to emulate virtual physical memory Emulate a disk with a disk, etc. Trick from 1960s: Configure hardware to safely give it to virtual machine VMM gets control on any privileged operation Virtual machine runs within a few percent of native

Hardware Level Virtualization Virtualization is supported by the real hardware Examples Intel VT-x (Vanderpool) technology AMD Pacifica Why hardware support?

Different Types of Virtual Machines Virtualization inserts a software layer (VMM) at different points in this architecture: Hardware-level virtualization Operating system-level virtualization Type 1 VM vs. Type 2 VM Application-level virtualization High-level language virtual machines

Different Types of Virtual Machines APPLICATIONS API Calls USER LEVEL LIBRARIES System Calls KERNEL User Space Kernel Space HARDWARE Instructions

Intel VT-X Overview Enhances the performance of VMs through hardware support Main Feature The inclusion of the new VMX mode of operation VMX root operation Fully privileged, intended for VM monitor New instructions VMX instructions VMX non-root operation Not fully privileged, intended for guest software Reduces Guest SW privilege w/o relying on rings

VT-x Operations VMX Non-root Operation VM 1 Ring 3 Ring 0 VM 2 Ring 3 Ring 0 Processes... VM n Ring 3 Ring 0 VM Exit VMCS 1 PCB VMCS 2 VMCS n IA-32 VMX Root Ring 3 Operation VMLAUNCH VMRESUME Ring 0 VMXON OS VMM

Virtual Machine Control Structure (VMCS) Control Structures in Memory Only one VMCS active per virtual processor at any given time Maintenance of state information Major source of overhead in a software-based solution Hardware implementation takes over the tasks of loading and unloading the state from their physical locations.

Operating System Level Virtualization Virtualization is emulated at the operating system layer Two possible positions Type 1 VM Native VM Between hardware and OS Type 2 VM Hosted VM Between OS and application programs

Operating System Level Virtualization Guest OS 1 Guest OS 2 Guest OS 1 Guest OS 2 Virtual Machine Monitor (VMM) Virtual Machine Monitor (VMM) Hardware Host OS Hardware Type 1 VMM VMware ESX Server, Xen Type 2 VMM VMware Workstation, VMware GSX Server, Virtual PC User Mode Linux

VMware ESX Server Multiplex hardware resources efficiently among virtual machines Runs unmodified binaries w/ performance isolation Manage system hardware directly Provides complete control over resource management Guest OS Scheduler CPU Guest OS Memory Mgmt Memory VMM Guest OS SCSI Driver disk Guest OS Ethernet Driver nic nicnic Console OS Binary Translation

VMware Binary Translation Inspects each instruction before it is executed Replaces dangerous instructions with calls to emulation code Stores sequences of translated instructions in a translation cache Fast, but slower than direct execution Return to VM Direct Exec. OK? Direct Execution Binary Translation CPU State Emulated Privileged Instruction

Xen Overview Multiplex physical resources at the granularity of an entire OS. Runs unmodified binaries w/ performance isolation. 100 hosted OS instances But: GuestOS has to be modified! Para-Virtualization

Xen Paravirtualization Arch xen/x86 like x86, but replace privileged instructions with Xen hypercalls Avoids binary rewriting and fault trapping For Linux 2.6, only arch-dep files modified Modify OS to understand virtualised env. Wall-clock time vs. virtual processor time Xen provides both types of alarm timer Expose real resource availability Enables OS to optimise behaviour

User Mode Linux Overview Provides a selfcontained environment Identical as hosting Linux kernel Processes have no access to host resources that were not explicitly provided p t r a c e VM User Process 1 VM User Process 2 Virtual Machine Guest OS Kernel/UML Host OS Kernel System Call Interception

VMware Workstation Overview Hosted VM architecture VMApp: User-level application on host OS VMDriver: Device driver inside host OS Facilitates the transfer of control between the two worlds VMM: Privileged virtual machine monitor Guest OS Applications Guest Operating System Host OS Apps Host OS VMApp VMDriver Virtual Machine VMM NIC Disks PC Hardware Memory CPU Binary Translation

Virtualizing a Network Interface VMApp Physical Ethernet Virtual Network Hub Virtual Bridge NIC Driver Physical NIC Host OS VMDriver PC Hardware Guest OS NIC Driver VMM

VMware Workstation Screenshot CprE 450-550

Application Level Virtualization Technologies API interception through DLL injection and API hooking Partial/complete implementation of APIs Emulate low level kernel implementations in user-space Useful when the host OS does not provide required support (e.g. Win32 threads vs. pthreads) Mandatory drivers Examples WINE: Win32 API implementation on Unix POSIX, OS/2 subsystems on Windows Supports Unix and OS/2 like API LxRun: Linux API implementation on SCO UnixWare, Solaris

Wine Architecture Closely follows NT Implements all the core DLLs (ntdll, user32, kernel32) Wine server provides the NT backbone Message passing Synchronization Object handles Native DLL support for noncore libraries Hardware access through Unix device drivers API Interception

Language Level Virtualization The virtualization layer sits as an application program on top of the operating system Can run any programs written for that virtual machine abstraction regardless of the operating system hosting that virtual machine Java Byte Code JVM Applications OS Real Machine Interpreted Execution

Questions? Thanks and See you next time

Applications Isolation Sandboxing Debugging/Testing Security Experiments (e.g., honeypots) Encapsulation Manageability Migration/Mobility Virtual Appliance Partition Server/Application Consolidation

Examplar Application: VM-based IDS Problem Area: Intrusion Detection Systems (IDS). Trade-offs Host-based IDS (HIDS): + Good visibility to catch intruder. - Weak isolation from intruder disabling/masking IDS. Network-based IDS (NIDS): + Good isolation from attack from intruder. Weak visibility can allow intruder to slip by unnoticed. Would like visibility of HIDS with isolation of NIDS. Idea: Do it in the virtual machine monitor.

VM-based IDS Strong isolation VMM isolate software in VM from VMM Compromised OS in VM can t disable IDS in VMM Introspection Peer inside at software running in VM VMM can see Physical memory, registers, I/O device state, etc. Signature scan of memory Look through physical memory for patterns or signs of break-in Interposition Modify VM abstraction to enhance security Memory Access Enforcer Interpose on page protection NIC Access Enforcer Interpose on virtual network device

VM-based Introspection Policy modules application guest OS application State Control IDS engine Intrusions detected VMM host OS hardware

Questions? Thanks and See you next time

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback