ANALYSIS OF VIRTUAL COMPUTER SYSTEMS: PERFORMANCE AND SECURITY Nidhi Aggarwal B.S., California State University, Fresno, 2006 PROJECT Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE Ill COMPUTER ENGINEERING at CALIFORNIA ST ATE UNIVERSITY, SACRAMENTO FALL 2008 ANALYSIS OF VIRTUAL COMPUTER SYSTEMS: PERFORMANCE AND SECURITY Nidhi Aggarwal B.S., California State University, Fresno, 2006 PROJECT Submitted in partial satisfaction of the requirements for the·degree of MASTER OF SCIENCE in COMPUTER ENGINEERING at CALIFORNIA STATE UNIVERSITY, SACRAMENTO FALL 2008 ANALYSIS OF VIRTUAL COMPUTER SYSTEMS: PERFORMANCE AND SECURJTY A Project by Nidhi Aggarwal Approved by: ------, Committee Chair Dr. -Behnam Arad -------, Second Reader Dr. William Mitchell Date II Student: Nidhi Aggarwal I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the Project. , Graduate Coordinator i2/ 3 / ?.,,•~ r Dr. Suresh Vadhva Date f Department ofComputer Engineering Ill Abstract of ANALYSIS OF VIRTUAL COMPUTER SYSTEMS: PERFORMANCE AND SECURITY by Nidhi Aggarwal Virtualizing physical resources of a computer system can improve resource sharing and utilization. Virtualization is the pooling and abstraction of resources in a way that masks the physical. nature and boundaries of the resources from the users. The goal of this project was to analyze primarily the performance aspects of virtualization and understand security implications. This project report presents an overview of virtualization and discusses the key technologies behind it. The report then analyzes the key features of the Intel® Virtualization Technology and AMD® SVM Technology for hardware virtualization, outlining the new instructions and hardware extensions introduced. A detailed performance analysis of various virtual environments and technologies are presented. Initially, comparison between physical and virtual environment is made at the architectural level by analyzing the perl, anagram and gee benchmarks using Simics execution environment. Then, the report presents the performance data for another benchmark (SPEC2006) for three different Virtual Machine Monitors (VMMs) and provides a detailed performance analysis of the VMMs. A detailed analysis of Xen is included based on the profiling done using Xenoprof to highlight the causes behind the performance bottlenecks. Finally, security aspects of virtualization are discussed and analyzed. --~------..,--.------- , Committee Chair Dr. Behnam Arad Date iv ACKNOWLEDGMENTS I want to acknowledge Dr. Behnam Arad and Dr. William Mitchell for their guidance and co-operation throughout the Project. V TABLE OF CONTENTS Page ACKNOWLEDGEMENT....................................................................... v GLOSSARY & KEY WORDS ...................................................................................... XII Chapter 1 VIRTUALIZATION AND VIRTUAL MACHINES OVERVIEW ............................ 1 1.1 INTRODUCTION ........................................................................................................... 1 1.2 VIRTUAL MACHINES OVERVIEW................................................................................. 3 1.3 VMM OVERVIEW ....................................................................................................... 4 1.3.1 Xen ................................................................ , .................................................... 4 1.3.2 Microsoft ............................................................................................................. 8 1.3 .3 Parallels ............................................................................................................. 10 1.3.4 VMware................· ............................................................................................. 11 2 ARCHITECTURAL ANALYSIS OF HARDWARE VT EXTENSIONS ................ 12 2.1 INTEL VT-x......................................................................................................... 14 2.1.1 Life Cycle of VMM Software .....................· ................................................... 14 2.1.2 VMCS overview ............................................................................................. 15 2.1.3 VMX Instruction Set ...................................................................................... 18 2.2 AMD-V .............................................................................................................. 19 2.2.1 SVM Hardware Overview .............................................................................. 20 2.2.2 New Instructions ............................................................................................. 22 2.2.3 Intercept operation .......................................................................................... 23 2.2.4 1010 Intercepts.;.............................................................................................. 24 2.2.5 TLB Control ................................................................................................... 24 2.2.6 New Processor Model: Paged Real Mode ...................................................... 25 2.2.7 Event Injection................................................................................................ 25 2.2.8 SMM Support (System Management Mode).................................................. 26 2.2.9 External Access Protection ............................................................................. 26 2.2.10 Nested Paging Facility .................................................................................... 27 3 PERFORMANCE ANALYSIS .................................................................................. 28 3.1 VIRTUALIZATION OVERHEAD ANALYSIS EXPERIMENTAL SETUP ........................ 29 3 .2 BENCHMARKS ..................................................................................................... 31 3.2.1 SPECCPU2006.................................................................................................. 31 3.2.2 Integer Benchmarks ........................................................................................ 31 3.2.3 Floating Point Benchmarks ........................ :................................................... 32 3.3 SYSTEM CONFIGURATION.................................................................................... 33 3.4 RESULTS .............................................................................................................. 34 vi 3.5 ANALYSIS .............. , ............................................................................................. 39 3.6 XEN PROFILING AND PERF ANALYSIS .................................................................. 55 3.6.2 Benchmarks Considered ................................................................................. 55 3.6.3 Experimental Results and Analysis ................................................................ 56 3.6.3.1 OSDB Results ........................................................................................... 56 3.6.4 Profiling OfXen Enviornment ....................................................................... 58 3.6.4.1 Experiments:& Analysis ........................................................................... 59 4 SECURITY ................................................................................................................. 62 4.1 INTRODUCTION....·.......................................................................62 4.2 ARCHITECTURAL EXTENSIONS FOR SECURITY IN VIRTUAL MACHINES .................... 65 4.2.1 SKINIT Instruction ......................................................................................... 66 4.2.2 Automatic Memory Clear ............................................................................... 66 4.2.3 Security Exceptipn .......................................................................................... 67 4.3 TEST FOR SECURITY OF VMMs ........................................................................... 67 4.3.1 Test Programs.:., ............................................................................................. 67 4.3.2 System Configuration and VMMs Used .... ; ................................................... 69 4.3.3 Test Results ....... : ......................................... : ................................................... 69 4.3.3.1 Crashme .................................................. :................................................... 69 4.3.3.2 Xensploit ................................................. : ................................................... 70 4.3.3.3 Host-to-Guest·shared folder .................... , ................................................... 70 4.3.4 Analysis ofResU;lts ..................................... :................................................... 71 5 CONCLUSION........................................................................................................... 73 REFERENCES.............;.......................................................................75 vii LIST OF TABLES Page 1. Tablel: List oflnteger benchmarks in SPEC2006 ................................. 32 2. Table2: List of Floating Point Benchmarks in SPEC2006 ........................ 33 3. Table3: Statistics for Sim Profile with perl in real mode .........................