CS 140 - Summer 2008 - Handout #26: Virtual Machines
Review: What is an OS? What If? � Process abstraction looked just like hardware! WoW emacs gcc
OS WoW emacs gcc
hardware OS OS
hardware hardware � Software between applications and (ugly) hardware: OS/Virtual Machine Monitor – Abstracts hardware and makes portable, usable and pretty. – Makes finite into (near)infinite. – Provides protection. hardware
How is a process different from HW? One way: Complete Machine Simulation Process Hardware � Build a simulation of all the hardware. � CPU – Non-Privileged � CPU – All registers and – CPU – A loop that fetch an instruction, decode it, simulate registers and instructions. instructions. its effect on the machine, state. � Memory – Virtual memory. � Memory – Both virtual and – Memory – Physical memory is just an array, simulate the physical memory, memory MMU on all memory accesses. � Exceptions – signals, errors. management, TLB/page – I/O – Simulate I/O devices, programmed I/O, DMA, � I/O - File System, Directory, tables, etc. interrupts. Files, raw devices. � Exceptions – Trap architecture, � Problem: Too slow! interrupts, etc. – 100x slowdown makes it not too useful. � I/O – I/O devices accessed – CPU/Memory – 100x CPU/MMU simulation. using programmed I/O, DMA, – I/O Device – <2x slowdown. interrupts. � Need to emulate CPU/MMU fast enough.
Dynamic Binary Translation Making a process look like hardware - CPU � Problem: simulated CPU, MMU not fast enough � Observations: Most instructions are the same regardless – slow interpreter! of processor privilege level. � Solution: translate & execute translated code Example: inc %eax � Why not just let CPU execute the instructions directly? lea r4, REG_BASE – Safety – How we going to get it back? Or stop it from lw r2, R2_OFS(r4) stepping on us? How about CLI/HALT? lw r3, R3_OFS(r4) add r1, r2, r3 – Answer: Use protection mechanism. add r1, r2, r3 lw r4, 8(r1) jal translate_r1 � Run virtual machine directly on CPU at non-privileged lw r1, 8(r1) level. sw r1, R4_OFS(r4) – Most instructions just work. – Privileged instructions trap into monitor and run simulator � Similar to just-in-time (JIT) compilation (e.g. Java, .net) on instruction. � ~4-10x slowdown (better if we can use hardware MMU?) – Makes some assumptions about architecture. � Can we do better? CPU Trap architecture virtualization CPU Virtualization Requirements � What happens when an interrupt or trap occurs. � Need protection levels to run VMs and monitors – Like all OSes: we trap into the monitor. � All unsafe/privileged operations should trap � What if the interrupt or trap should go to the VM? – Example: disable interrupt, access I/O dev, … – Example: Page fault, illegal instruction, system call, – x86 problem: POPF (different semantics in different rings) interrupt. � Privilege level should not be visible to software � Run the simulator again. – Software in VM should be able to query and find its in a VM – X86 example: Lookup trap vector in VM’s IDT. – x86 problem: MOV ax, cs – Push cs, eip, eflags, on stack. � Trap should be transparent to software in VM – Switch to privileged mode. – Software in VM should be able to tell if instruction trapped. – x86 problem: traps can destroy machine state. � Lost art – Re-found - Intel’s VT, AMD-V
Possible solutions (w/o HW support) Virtualization Requirements - Virtualizing Memory � Modify the OS? (Xen, User-Mode Linux approach) Basic MMU functionality used by OS: – Change so it doesn’t use non-virtualizable instructions. OS manages physical memory (0…MAX_MEM). OS sets up page tables mapping VA->PA. – In fact, can just call VMM directly – possibly more efficient! CPU accesses VA to should go to PA. Paging off: PA=VA. – Not general solution – can’t run Windows. Used for every instruction fetch, load, or store. � Partial binary translation (VMware approach) Need to implement a virtual physical memory – Run user code directly. Logically need additional level of indirection – Translate kernel code, patching non-virtualizable instructions VM’s VA -> VM’s PA -> machine address » can also patch other instructions for performance! Trick: Use hardware MMU to simulate virtual MMU. – As with DBT, need to track self-modifying code. Can be folded into page tables: VA->machine » Map non-writable in MMU, trap & re-translate. address » Windows does this. Also pages share code & data. – Have interpreter for code that is rarely used » avoid translation overhead
MMU Virtualization I/O device virtualization � Trick: Monitor keeps shadow of VM’s page table � Type of communication: – Contains mapping to physical memory allocated for that – Special instruction – IN/OUT. VM. – Memory mapped I/O (PIO). – Access causes Page Fault: – Interrupts. » Lookup in VM’s page table mapping from VPN to PPN. – DMA. » Determine where PPN is in machine memory (MPN). � � Monitor can demand page the virtual machine Virtualization » Insert mapping from VPN->MPN into shadow page table. – Make IN/OUT and PIO trap into monitor. � Uses hardware for protection/isolation – Run simulation of I/O device. – Monitor never maps itself into VM’s page table � Simulation: – Monitor never maps memory allocated to other VMs in VM’s – Interrupt – Tell CPU simulator to generate interrupt. page table – DMA – Copy data to/from physical memory of virtual � AMD’s Nested Page Tables machine. Virtual Machine Monitor Old idea from the 1960s � Thin layer of software that virtualizes the hardware � IBM VM/370 – A VMM for IBM mainframes – Exports a virtual machine abstraction that looks like the – Multiplex multiple OS environments on expensive hardware. hardware. – Desirable when few machines around.
App App App App App – Also: make single-user OS “multi-user.” � Interest died out in the 1980s and 1990s. Operating Operating Operating – Hardware got cheap (with faster CPUs, huge mem/storage.) System System System Virtual – Compare Windows XP vs. N DOS machines Machine Virtual Machine Monitor (VMM) » However, Windows includes a DOS virtual environment. ;-) Monitor Hardware � Interesting again today – Different problems today – software management – VMM attributes still relevant
Virtual Machine Monitor attributes Different thinking about OSes � Software compatibility � Installing software on hardware is broken – Runs pretty much all software – Tight coupling of OS and applications to hardware creates – Trick: Make virtual hardware match real hardware. management problems. � Low overheads/High performance � Want to subdivide OS: – Near “raw” machine performance. – Hardware drivers. – Direct execution on CPU/MMU. – Hardware management. � Complete isolation – System support software. – Total data isolation between virtual machines. � Turn OSes into normal software that can be managed – Use hardware protection. � Encapsulation – Virtual machines are not tied to physical machines. – Checkpoint/Migration.
Backward compatibility with VMMs Isolation: access to classified networks � Backward compatibility is bane of new OSes. � Traditional tension: Security vs. Usability – Huge effort require to innovate but not break. – Secure systems tend not to be that usable. � Security considerations may make it impossible – Flexible systems are not that secure. – Choice: Close security hole and break apps or be insecure � Additional information assurance requirement: � Example: Not all XP applications run on Vista. – Data cannot flow between networks of different classification. – In spite of a huge effort to make Vista compatible. – Given the number of applications that run on XP, practically � Solution: Run two VMs: any change will break something. – Classified VM If (OS == XP)…. – Internet VM � Solution: Use a VMM to run both XP and Vista � Use isolation property to isolate two VMs – Obvious for OS migration as well: Windows -> Linux – VMM has control of the information flow between machines – keep running legacy apps, OS until you can replace them » Declassifier mechanism on new OS Logical partitioning of server machines Example: Using VMM to enhance security � Run multiple servers on same box � Problem Area: Intrusion Detection Systems (IDS). –Ability to give away less than one machine. � Trade-offs »Modern CPUs more power than most services need. –0.10U rack space machine - Better power, cooling, floor – Host-based IDS (HIDS): space,etc. » + Good visibility to catch intruder. –Server consolidation trend: N machine -> 1 real » - Weak isolation from intruder disabling/masking IDS. machine. – Network-based IDS (NIDS): � Isolation of environments » + Good isolation from attack from intruder. –Printer server doesn’t take down Exchange server. » - Weak visibility can allow intruder to slip by unnoticed. –Compromise of one VM can’t get at data of others. � Would like visibility of HIDS with isolation of NIDS. � Resource management – Idea: Do it in the virtual machine monitor. –Provide service-level agreements. � Heterogeneous environments –Linux, FreeBSD, Windows, etc.
VMM-based Intrusion Detection System Virtual Appliances � Strong isolation � Virtualization decouples software from hardware – VMM isolate software in VM from VMM. – OS no longer an extension of hardware – Comprise OS in VM can’t disable IDS in VMM. � OS is bundled with application � Introspection – Peer inside at software running in VM – Choose OS based on the needs of the application – VMM can see: Physical memory, registers, I/O device state, etc. – only include what you need – Signature scan of memory � No additional installation required » Look through physical memory for patterns or signs of break-in – VM includes OS, libraries, application, support software � Interposition – Modify VM abstraction to enhance security – No hardware incompatibilities (runs on virtual hardware) – Memory Access Enforcer – No software incompatibilities (includes entire environment) » Interpose on page protection. � “Virtual Appliance” – NIC Access Enforcer – web server, mail server, standard desktop, test environment... » Interpose on virtual network device. – tons of them available on internet
Mobility Live upgrades � Virtual machines allow you to push nodes around on your � Can upgrade hardware, VMM while OS and applications network continue to run – as long as network can route/switch seamlesly – move VMs off machine you’re upgrading � Move servers around to optimize for – upgrade/replace hardware and/or VMM – performance (few VMs per machine) – reboot and restart VMM – power, hardware resources (many VMs per machine) – move VMs back – network latency (put VMs close to clients) � Keep your work on a VM, and take it with you! � Virtual machines make the OS much more flexible and – beyond afs home directory – get your whole machine useful, provide improved compatibility and isolation, and – log into a machine – loads your VM allow you to fix problems and limitations of a legacy OS! – put it on a flash drive, send it over the network... Question: Has OS design failed? Has OS design failed? � Microkernels � OS libraries and software environments – “A virtual machine monitor is a µkernel with a lousy API.” – Poor support for multiple (e.g. legacy) environments. – Microkernels at same layer as VMM. – Destructive software installation. Poor compatibility. – Never caught on – why? Performance, compatibility. � Security: OS design (and implementation) has failed! � Distributed (Operating) Systems – Buy new laptop + connect to internet => pwned. – Merge systems over network into coherent whole. – Viruses, worms, spyware, rootkits, spam, phishing, botnets, – Provide process migration, unified file system, etc. remote exploits, local privilege escalation, buffer overflows, TOCTTOU bugs, bad permissions, excessive privileges... – Problems: performance, reliability, compatibility. – Result: poor isolation means people are (rightly) afraid to run e- – Future: IFC, network security, Web/Cloud/Grid computing? mail and web server in same OS. – � VMMs offer a general workaround to OS deficiencies, by implementing an ugly (hardware) interface which OSes were supposed to make pretty and useful!
The Operating System Traditional View Modern OS Evolution
Operating System Goal – Support as many APP APP APP APP APP APP OS jobs: APP APP APP APP APP applications as possible APP APP APP APP APP APP APP 1.�Drive and manage hardware APP APP APP Problems – Too Operating System 2.�Export better abstraction Application Support complex
Hardware Mgmt. Security OS is viewed as an Reliability Operating System extension of hardware Manageability Privileged position – Only one OS Performance Innovation
Virtual Appliance Operating System as evolution beyond traditional OS model Living in a Virtual World Don’t need complex � Virtualization makes OS flexible, portable, controllable hardware�management Application and (potentially) fixable without internal changes � Black boxes now manipulable objects Application Don’t need broad – OS, binary software, file systems, networks... Operating System application�support Application Support – Crack open, modify, ship around, monitor, etc.
VHarirtualizadwartione Mg Lamyert. Application-specific � More opportunities for OS developers! operating�system – Someone can run your custom OS (and keep Windows too) – Application-specific OSes Smaller, easier to get right! � ... with less importance per opportunity Look at hardware appliance – OS doesn’t matter as much operating systems for – But now you know enough to hack VMMs as well as OSes! examples