Formal Requirements for Virtualizable Third Generation Architectures
description
Transcript of Formal Requirements for Virtualizable Third Generation Architectures
![Page 1: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/1.jpg)
Formal Requirements for Virtualizable Third Generation Architectures
Grad Operating System Mini-ProjectAuthors: Gerald J. Popek, and Robert P. Goldberg
Presented by: Yiji Zhang
![Page 2: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/2.jpg)
2
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
![Page 3: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/3.jpg)
3
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
![Page 4: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/4.jpg)
4
Basic VM Concepts• Virtual Machine (VM)– efficient, isolated duplicate of the real machine– the environment created by the virtual machine monitor
VMM
VM
Hardware
The virtual machine monitor
![Page 5: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/5.jpg)
5
Basic VM Concepts• Virtual machine monitor (VMM)– a piece of software– three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
![Page 6: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/6.jpg)
6
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
![Page 7: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/7.jpg)
7
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
![Page 8: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/8.jpg)
8
Model of 3rd Generation Machine• Overview simplified conventional 3rd generation machine– with a processor– with linear, uniformly addressable memory– without I/O instructions– without interrupts
• Machine behaviorThe machine can exist in any one of a finite
number of states S, where S = <E, M, P, R>.
![Page 9: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/9.jpg)
9
Model of 3rd Generation Machine• Behavior of the computer: state (S)
S=<E, M, P, R>
E: executable storage
M: processor mode P: program count
R: relocation-bounds register
![Page 10: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/10.jpg)
10
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
M: processor mode P: program count
R: relocation-bounds register
E: executable storage• word or byte addressed memory;• E[i]: contents of the ith unit of
storage in E
![Page 11: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/11.jpg)
11
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor mode2 types• supervisor (s)• user (u)
P: program count
R: relocation-bounds register
![Page 12: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/12.jpg)
12
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor modeP: program count• address relative to register;• index
R: relocation-bounds register
![Page 13: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/13.jpg)
13
Model of 3rd Generation Machine• Behavior of the computer: state-space (S)
S=<E, M, P, R>
E: executable storage
M: processor mode P: program count
R: relocation-bounds register R = (l, b)• relocation part l: absolute address• bound part b: absolute size of virtual
memory
![Page 14: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/14.jpg)
14
Model of 3rd Generation Machine• Program status word (PSW)
the contents of the triple <M, P, R>– used for other definitions and proof later
• Instruction (i)a function from one set of states (C) to
another. i: C Ce.g. i(S1) = S2
i(E1, M1, P1, R1) = (E2, M2, P2, R2)
![Page 15: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/15.jpg)
15
Model of 3rd Generation Machine• Trap 1. Definition 2. Particular kind of trap
![Page 16: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/16.jpg)
16
• Trap 1. Definition
Model of 3rd Generation Machine
An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]
![Page 17: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/17.jpg)
17
• Trap 1. Definition
Model of 3rd Generation Machine
An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]1. Save the
current state
2. Pass control of a pre-specified routine by changing PSW
![Page 18: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/18.jpg)
18
Model of 3rd Generation Machine• Trap 2. Particular kind of trap: memory trap– caused by accessing an address which is over the
bounds in relocation-bounds register R(l, b) or physical memory
– micro-sequence:
where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound
if a + l ≥ q then trap;if a ≥ b then trap
![Page 19: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/19.jpg)
19
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
![Page 20: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/20.jpg)
20
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
![Page 21: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/21.jpg)
21
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
![Page 22: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/22.jpg)
22
Privileged Instruction• Definition
Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.
![Page 23: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/23.jpg)
23
• Definition
• independent of the virtualization process
Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.
Privileged Instruction
privileged instruction trap
the only difference
![Page 24: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/24.jpg)
24
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
![Page 25: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/25.jpg)
25
Sensitive Instruction• Control sensitive
– control sensitive instructions: affect or potentially affect the control of VMM over recourses
– no isolated condition codes or other complications by which instructions can interact
An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.
![Page 26: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/26.jpg)
26
Sensitive Instruction• Behavior sensitive…
![Page 27: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/27.jpg)
27
Sensitive Instruction• Behavior sensitive… • First introduce new notations…– operator :⊕ r’ = r x = (l+x, b), which means the ⊕ relocation register has had its base value shifted by the value of x– E | R: which means the contents of the part of the memory which can be effected by the instruction– E | r = E’ | r x: for 0≤i≤b, E[l + i] = E’[l + x + i]⊕
![Page 28: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/28.jpg)
28
Sensitive Instruction• Behavior sensitive (finally!)
– the effect of the executions depends on the value of the relocation-bounds register.
An instruction i is behavior sensitive if there exists an integer x and states:(a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,where(c) i(S1) = <e1 | r, m1, p1, r>,(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap,such that either(a) e1 | r ≠ e2 | r x⊕ , or(b) p1≠ p2, or both.
![Page 29: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/29.jpg)
29
Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction
• innocuous instructions
![Page 30: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/30.jpg)
30
Innocuous Instructions• The instructions which are neither privileged
instruction nor sensitive instructions.
![Page 31: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/31.jpg)
31
Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor
![Page 32: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/32.jpg)
32
Virtual Machine Monitor• VMM
a particular piece of software, called a control program, that exhibits certain
properties
![Page 33: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/33.jpg)
33
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
![Page 34: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/34.jpg)
34
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• top level module• decide which module
to call
![Page 35: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/35.jpg)
35
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• invoked by dispatcherwhen an attempted execution is to change the resources
![Page 36: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/36.jpg)
36
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• one interpreter routine per privileged instruction
• to simulate the effect of trapped instruction
![Page 37: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/37.jpg)
37
Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>
Control Program (CP)
Dispatcher (D)
Allocator (A) Interpreters
• one interpreter routine per privileged instruction
• to simulate the effect of trapped instructions
• vi: set of interpretive routines
![Page 38: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/38.jpg)
38
Virtual Machine Monitor• VMM properties
Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
![Page 39: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/39.jpg)
39
Virtual Machine Monitor• VMM properties
Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources
Now more formally...
![Page 40: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/40.jpg)
40
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence:
Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.
![Page 41: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/41.jpg)
41
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)
![Page 42: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/42.jpg)
42
Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real
machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)
Virtual Machine Map (VM MAP)
![Page 43: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/43.jpg)
43
Virtual Machine Monitor• Virtual machine Map (VM Map)
f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I.
where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM.
The virtual machine map
![Page 44: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/44.jpg)
44
Virtual Machine Monitor• VMM properties (formally) 2) Efficiency:
All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.
![Page 45: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/45.jpg)
45
Virtual Machine Monitor• VMM properties (formally) 3) Resource control:
It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.
![Page 46: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/46.jpg)
46
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Conclusion
![Page 47: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/47.jpg)
47
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
![Page 48: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/48.jpg)
48
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap
mechanisms• the instruction set is of general purpose to support
dispatcher, allocator, and table lookup procedure
![Page 49: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/49.jpg)
49
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 1) means:to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM
![Page 50: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/50.jpg)
50
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 2) guarantees:the resource control property, and equivalence property
![Page 51: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/51.jpg)
51
Visualization Theorem• THEOREM 1. For any conventional third
generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
which 3) provides:a simple technique for implementing a VMM, called trap-and-emulate virtualization
![Page 52: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/52.jpg)
52
Visualization Theorem• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.
![Page 53: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/53.jpg)
53
Visualization Theorem• THEOREM 2. A conventional third generation
computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.
• Exceptions:1) programs with resource bound
–The theorem limits the number of nested VMMs of the recursion.
2) programs that have time dependencies
![Page 54: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/54.jpg)
54
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.
![Page 55: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/55.jpg)
55
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is
control sensitive or behavior
sensitive.
![Page 56: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/56.jpg)
56
Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor
may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user control sensitive: the definition given earlier for
control sensitivity holds, with ml in that definition set to user.
user behavior sensitive: the definition for locationsensitivity
holds with the mode of states S1 and S2 equal to user.
![Page 57: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/57.jpg)
57
Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution
![Page 58: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/58.jpg)
58
Contribution• A formal model of a 3rd generation computer
system • Necessary and sufficient conditions to
determine whether a particular 3rd generation machine can support a VMM
![Page 59: Formal Requirements for Virtualizable Third Generation Architectures](https://reader037.fdocuments.us/reader037/viewer/2022103007/56815fb8550346895dceb3b0/html5/thumbnails/59.jpg)
59
Reference• Gerald J. Popek and Robert P. Goldberg. 1974.
Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.