Virtual Machines Xen and Terra Rajan Palanivel. Xen and Terra : Papers Xen and the art of...
-
Upload
austin-smith -
Category
Documents
-
view
221 -
download
1
Transcript of Virtual Machines Xen and Terra Rajan Palanivel. Xen and Terra : Papers Xen and the art of...
Virtual Machines Xen and Terra
Rajan Palanivel
Xen and Terra : Papers
Xen and the art of virtualization. -Univ. of Cambridge
Terra: A VM based platform for trusted computing.
- Stanford Univ.
Virtual Machine and Advantages Multiplexing the real machine in to multiple
“virtual” machines. General architecture consist of a software
layer (Monitor) that exposes VMs and various “guest” OSs run on these VMs.
Some Advantages:1. Concurrent execution of different OS on the
same hardware and hence different applications.
2. Resource Isolation.3. Upgrade OS software to a different version
without losing the ability to run older legacy OS and it’s applications.
Types of Monitor. Monitor runs on a higher privilege level than
the guest OS. Sensitive/Privileged instructions. (Ex: MOV) Classified by the amount of guest OS
instructions that are executed by monitor or by the real hardware.
CSIM (Complete software Interpreter machine), Hybrid VM (HVM) and VMM.
VMM : Requires that “Statistically dominant subset of the virtual processor instructions be executed on the real processor” . (Type 1 and Type 2)
Xen –Type 1 VMM.
Type 1 and Type 2 VMMs
Runs directly on hardware
Good performance
Type I VMMHardware
Virtual Machine Monitor
Guest Operating System
Guest Process
Guest Process
Type II VMM
Virtual Machine Monitor
Guest Operating System
Host Operating System
Hardware
Guest Process
Guest Process
Uses existing host OS abstractions to implement services
Poor performance
Full Virtualization Full Virtualization: No modification required
for the guest OS (VMWare’s ESXServer). Drawbacks : (esp. on x86) 1. Sensitive Instructions fail without traps. 2. Need dynamic rewrite of OS kernel. 3. Shadow system structures (performance
issue to sync virtual and shadow structures).4. Guest OS may need both virtual and real
resources. (Time: TCP timeouts and RTT, Machine address for super pages etc).
Xen: Para Virtualization Para Virtualization: Exposed
hardware is similar but not identical to the real machine.
OS modifications required. ABI not changed. (Guest apps run
without changes). High performance. Xen Hypervisor.
Xen
Xen – CPU Xen Hypervisor runs in ring 0. Guest OS runs in a lower privilege level (ring
1). Privileged and sensitive instructions are paravirtualized by requiring them to be validated and executed by hypervisor.
Guest OS protects itself from it’s other processes by running in a separate address space (and separate privilege level).
Trap/Exception handlers are registered with Xen for validation. (Xen checks that the code segment of the handlers will not run in ring 0).
Fast Exception handlers for system calls.
Xen – Memory Management Initial Memory allocation: 1. Static Allocation for each domain.2. Dynamic expansion/contraction possible. Virtualizing memory is Complicated in
x86:1. x86-MMU handles TLB misses by
searching through the page table in the hardware. (No Soft TLB support).
2. TLB flush on context switches. (No tagged TLB support).
Xen – Memory Management Virtual address translation: Page Tables: Allocated and managed by guest
OSs but restricted to read only access. Updates validated and applied by Xen. (via hypercalls)
Xen: Associates a type and reference count with each machine page frame. (PD, PT, LDT, GDT, RW).
Xen exists in the 64 MB section on top of every address space (TLB flush prevented when entering/leaving Xen Hypervisor).
Page fault Handling: (CR2 register) : Pre determined location.
Control /Data / Timers Hypercalls : synchronous calls from
domain to Hypervisor. Domains do privileged operations via hypercalls.
Events: asynchronous notifications delivered via events from Xen to domains. (For delivering h/w interrupts).
Data transfer through Descriptor rings. (Producer – Consumer).
Time and Timers: Real, Virtual and wall-clock.
Xen - Network Xen provides a Virtual Firewall-router (VFR). Each domain has one or more VIFs (virtual
Interfaces) attached logically to VFR. VFR has rules of the form <pattern><action>. Two I/O buffer descriptor rings. (Transmit and
Receive). Trans: Domain updates the transmit descriptor
ring. Xen copies the descriptor and the packet header. Header is inspected by VFR. Payload is not copied (Scatter-gather). Pages are pinned till completion.
Recv: Xen multiplexes/firewalls using VFR and avoids copy by page flipping.
I/O Ring (Transmit or Receive)
Control and Management. Management software runs on a
special guest OS (domain 0). List of parameters to manage
include access control (for i/o devices), amount of physical memory per domain, VFR rules etc.
Mgmt software uses control interfaces provided by Xen.
Xen – Relative Performance
Xen – Network Performance
Xen - Performance
Multiple Apache processes in Linux
vs.
One Apache process in each guest OS
Terra: Goals Goal is to run applications with wide range
of security requirements simultaneously. Multiple Closed platforms on general
purpose hardware. Software stack is tailored from hardware
interface up to meet the security requirements of it’s applications.
Isolation and authentication.
Terra - TVMM Trusted VMM (TVMM). Facilitates Open and Closed box VMs. Open box VM runs regular commodity
applications. Closed box VMs provide hardware
memory protection. (Isolation) Cryptographic authentication
(Attestation). TVMM acts as a trusted party to authenticate the software running in a VM to remote parties.
Terra – Architecture. Two VM abstractions (Open and close). Contents of closed box cannot be
inspected or manipulated by the platform owner.
Provides Isolation, Extensibility, Efficiency, Compatibility and Security.
Extra features by Terra: Root Secure, Attestation and Trusted path.
Terra - Architecture
Terra – Attestation and VM Identity Attestation: Application in a closed box VM
authenticates itself to remote parties. Authenticates who built the hardware and
what layers of software are running on the machine.
Building a certificate chain (H/w -> BIOS -> boot loader -> TVMM -> VM -> Apps).
Terra uses a tamper resistant hardware (TPM). (Embedded private key)
Terra – Attestation
FirmwareFirmware
Boot LoaderBoot Loader
TVMMTVMMENDORSE
API CALLAPI CALL
SIGNED CERTIFICATE
HardwareHardware
VMVM
Terra : Example Attestation TLS/SSL Session between Quicken and
Remote bank server. Client sends the attestation certificate chain
during TLS Handshake.1. Lowest certificate (of h/w) in the chain is from a
trusted authority.2. All hashes in the chain are on the list of remote
server’s list of authorized software. (trustable BIOS, boot loader, TVMM)
3. Topmost certificate (containing the hash of quicken) is on the list of authorized version.
If all the checks are valid, then TLS is completed and session key exchanged.
Privacy Attestation process identifies the
machine! (privacy concerns). Privacy CA (PCA): User’s machine send an
attested cert request to PCA and PCA issues an anonymized cert for attestation.
Other issues : DRM etc. – Media servers may release content only to platforms that would prevent copying, expire the media after certain time etc.
Terra – Device Driver Security. Drivers have the most security holes.. Hardware memory protection + chipset
protection can prevent drivers from DMA ing to other address spaces.
NGSCB architecture: 1. Runs in a curtained memory protected
from DMA attacks and from untrusted OS.2. Leverages device drivers of the untrusted
OS (running in an open box VM) via an explicit interface in the untrusted Os kernel.
Q & A.
QA