CS 140 - Summer 2008 - Handout #26: Virtual Machines Review: What is an OS? What If? ! Process abstraction looked just like hardware! WoW emacs gcc OS WoW emacs gcc hardware OS OS hardware hardware ! Software between applications and (ugly) hardware: OS/Virtual Machine Monitor – Abstracts hardware and makes portable, usable and pretty. – Makes finite into (near)infinite. – Provides protection. hardware How is a process different from HW? One way: Complete Machine Simulation Process Hardware ! Build a simulation of all the hardware. ! CPU – Non-Privileged ! CPU – All registers and – CPU – A loop that fetch an instruction, decode it, simulate registers and instructions. instructions. its effect on the machine, state. ! Memory – Virtual memory. ! Memory – Both virtual and – Memory – Physical memory is just an array, simulate the physical memory, memory MMU on all memory accesses. ! Exceptions – signals, errors. management, TLB/page – I/O – Simulate I/O devices, programmed I/O, DMA, ! I/O - File System, Directory, tables, etc. interrupts. Files, raw devices. ! Exceptions – Trap architecture, ! Problem: Too slow! interrupts, etc. – 100x slowdown makes it not too useful. ! I/O – I/O devices accessed – CPU/Memory – 100x CPU/MMU simulation. using programmed I/O, DMA, – I/O Device – <2x slowdown. interrupts. ! Need to emulate CPU/MMU fast enough. Dynamic Binary Translation Making a process look like hardware - CPU ! Problem: simulated CPU, MMU not fast enough ! Observations: Most instructions are the same regardless – slow interpreter! of processor privilege level. ! Solution: translate & execute translated code Example: inc %eax ! Why not just let CPU execute the instructions directly? lea r4, REG_BASE – Safety – How we going to get it back? Or stop it from lw r2, R2_OFS(r4) stepping on us? How about CLI/HALT? lw r3, R3_OFS(r4) add r1, r2, r3 – Answer: Use protection mechanism. add r1, r2, r3 lw r4, 8(r1) jal translate_r1 ! Run virtual machine directly on CPU at non-privileged lw r1, 8(r1) level. sw r1, R4_OFS(r4) – Most instructions just work. – Privileged instructions trap into monitor and run simulator ! Similar to just-in-time (JIT) compilation (e.g. Java, .net) on instruction. ! ~4-10x slowdown (better if we can use hardware MMU?) – Makes some assumptions about architecture. ! Can we do better? CPU Trap architecture virtualization CPU Virtualization Requirements ! What happens when an interrupt or trap occurs. ! Need protection levels to run VMs and monitors – Like all OSes: we trap into the monitor. ! All unsafe/privileged operations should trap ! What if the interrupt or trap should go to the VM? – Example: disable interrupt, access I/O dev, … – Example: Page fault, illegal instruction, system call, – x86 problem: POPF (different semantics in different rings) interrupt. ! Privilege level should not be visible to software ! Run the simulator again. – Software in VM should be able to query and find its in a VM – X86 example: Lookup trap vector in VM’s IDT. – x86 problem: MOV ax, cs – Push cs, eip, eflags, on stack. ! Trap should be transparent to software in VM – Switch to privileged mode. – Software in VM should be able to tell if instruction trapped. – x86 problem: traps can destroy machine state. ! Lost art – Re-found - Intel’s VT, AMD-V Possible solutions (w/o HW support) Virtualization Requirements - Virtualizing Memory ! Modify the OS? (Xen, User-Mode Linux approach) Basic MMU functionality used by OS: – Change so it doesn’t use non-virtualizable instructions. OS manages physical memory (0…MAX_MEM). OS sets up page tables mapping VA->PA. – In fact, can just call VMM directly – possibly more efficient! CPU accesses VA to should go to PA. Paging off: PA=VA. – Not general solution – can’t run Windows. Used for every instruction fetch, load, or store. ! Partial binary translation (VMware approach) Need to implement a virtual physical memory – Run user code directly. Logically need additional level of indirection – Translate kernel code, patching non-virtualizable instructions VM’s VA -> VM’s PA -> machine address » can also patch other instructions for performance! Trick: Use hardware MMU to simulate virtual MMU. – As with DBT, need to track self-modifying code. Can be folded into page tables: VA->machine » Map non-writable in MMU, trap & re-translate. address » Windows does this. Also pages share code & data. – Have interpreter for code that is rarely used » avoid translation overhead MMU Virtualization I/O device virtualization ! Trick: Monitor keeps shadow of VM’s page table ! Type of communication: – Contains mapping to physical memory allocated for that – Special instruction – IN/OUT. VM. – Memory mapped I/O (PIO). – Access causes Page Fault: – Interrupts. » Lookup in VM’s page table mapping from VPN to PPN. – DMA. » Determine where PPN is in machine memory (MPN). ! ! Monitor can demand page the virtual machine Virtualization » Insert mapping from VPN->MPN into shadow page table. – Make IN/OUT and PIO trap into monitor. ! Uses hardware for protection/isolation – Run simulation of I/O device. – Monitor never maps itself into VM’s page table ! Simulation: – Monitor never maps memory allocated to other VMs in VM’s – Interrupt – Tell CPU simulator to generate interrupt. page table – DMA – Copy data to/from physical memory of virtual ! AMD’s Nested Page Tables machine. Virtual Machine Monitor Old idea from the 1960s ! Thin layer of software that virtualizes the hardware ! IBM VM/370 – A VMM for IBM mainframes – Exports a virtual machine abstraction that looks like the – Multiplex multiple OS environments on expensive hardware. hardware. – Desirable when few machines around. App App App App App – Also: make single-user OS “multi-user.” ! Interest died out in the 1980s and 1990s. Operating Operating Operating – Hardware got cheap (with faster CPUs, huge mem/storage.) System System System Virtual – Compare Windows XP vs. N DOS machines Machine Virtual Machine Monitor (VMM) » However, Windows includes a DOS virtual environment. ;-) Monitor Hardware ! Interesting again today – Different problems today – software management – VMM attributes still relevant Virtual Machine Monitor attributes Different thinking about OSes ! Software compatibility ! Installing software on hardware is broken – Runs pretty much all software – Tight coupling of OS and applications to hardware creates – Trick: Make virtual hardware match real hardware. management problems. ! Low overheads/High performance ! Want to subdivide OS: – Near “raw” machine performance. – Hardware drivers. – Direct execution on CPU/MMU. – Hardware management. ! Complete isolation – System support software. – Total data isolation between virtual machines. ! Turn OSes into normal software that can be managed – Use hardware protection. ! Encapsulation – Virtual machines are not tied to physical machines. – Checkpoint/Migration. Backward compatibility with VMMs Isolation: access to classified networks ! Backward compatibility is bane of new OSes. ! Traditional tension: Security vs. Usability – Huge effort require to innovate but not break. – Secure systems tend not to be that usable. ! Security considerations may make it impossible – Flexible systems are not that secure. – Choice: Close security hole and break apps or be insecure ! Additional information assurance requirement: ! Example: Not all XP applications run on Vista. – Data cannot flow between networks of different classification. – In spite of a huge effort to make Vista compatible. – Given the number of applications that run on XP, practically ! Solution: Run two VMs: any change will break something. – Classified VM If (OS == XP)…. – Internet VM ! Solution: Use a VMM to run both XP and Vista ! Use isolation property to isolate two VMs – Obvious for OS migration as well: Windows -> Linux – VMM has control of the information flow between machines – keep running legacy apps, OS until you can replace them » Declassifier mechanism on new OS Logical partitioning of server machines Example: Using VMM to enhance security ! Run multiple servers on same box ! Problem Area: Intrusion Detection Systems (IDS). –Ability to give away less than one machine. ! Trade-offs »Modern CPUs more power than most services need. –0.10U rack space machine - Better power, cooling, floor – Host-based IDS (HIDS): space,etc. » + Good visibility to catch intruder. –Server consolidation trend: N machine -> 1 real » - Weak isolation from intruder disabling/masking IDS. machine. – Network-based IDS (NIDS): ! Isolation of environments » + Good isolation from attack from intruder. –Printer server doesn’t take down Exchange server. » - Weak visibility can allow intruder to slip by unnoticed. –Compromise of one VM can’t get at data of others. ! Would like visibility of HIDS with isolation of NIDS. ! Resource management – Idea: Do it in the virtual machine monitor. –Provide service-level agreements. ! Heterogeneous environments –Linux, FreeBSD, Windows, etc. VMM-based Intrusion Detection System Virtual Appliances ! Strong isolation ! Virtualization decouples software from hardware – VMM isolate software in VM from VMM. – OS no longer an extension of hardware – Comprise OS in VM can’t disable IDS in VMM. ! OS is bundled with application ! Introspection – Peer inside at software running in VM – Choose OS based on the needs of the application – VMM can see: Physical memory, registers, I/O device state, etc. – only include what you need – Signature scan of memory ! No additional installation required » Look through physical memory for patterns or signs of break-in