Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Virtual Machines Supporting Changing Technology and New Applications Computing Frontiers May 2005 J. E. Smith Introduction Why are virtual machines interesting? They involve computer architecture in a pure sense They allow transcending of interfaces (which often seem to be an obstacle to innovation) They enable innovation in flexible, adaptive software & hardware, security, network computing (and others) Virtualization technologies will be a key part of most future computer systems VMs (c) 2005, J. E. Smith 2 Outline Virtualization The Architecture of Virtual Machines Emulation Enhancing Security The Grid Portable Environments Co-Designed VMs VMs (c) 2005, J. E. Smith 3 Abstraction Software Computer systems are built on levels of abstraction Higher level of abstraction hide details at lower levels Example: files are an abstraction of a disk Application Programs fileLibraries file Operating System abstraction Memory Manager Drivers Scheduler Execution Hardware System Interconnect (bus) Memory Translation Controllers Controllers I/O devices and Networking Main Memory Hardware VMs (c) 2005, J. E. Smith 4 Virtualization Similar to abstraction Except • Details not necessarily hidden Construct Virtual Disks • • • virtualization file file As files on a larger disk Map state Implement functions VMs: do the same thing with the whole “machine” VMs (c) 2005, J. E. Smith 5 The Family of Virtual Machines Including There are things lots of not “virtual called machines” “virtual machines” IBM VM/370 IA-32 EL Java HP Dynamo VMware products Transmeta Crusoe “The subjects of virtual machines and emulators have been treated as entirely separate. … they have much in common. Not only do the usual implementations have many shared characteristics, but this commonality extends to the theoretical concepts on which they are based” -- Efrem G. Wallach, 1973 VMs (c) 2005, J. E. Smith 6 “Machines” Different perspectives on what the Machine is: OS developer Compiler developer Application programmer Application Programs Libraries Operating System Execution Hardware Instruction Set Architecture Application Binary Program Interface Interface •• • • ISA API ABI Major division User User ISA ISA ++ library OSbetween calls calls hardware and software System Interconnect (bus) I/O devices and Networking VMs (c) 2005, J. E. Smith Memory Translation Main Memory 7 System Virtual Machines Provide a system environment Constructed at ISA level Persistent Examples: IBM VM/360, VMware, Transmeta Crusoe guest guest process process guest process guest guest guest process process process Guest OS Guest OS2 VMM VMM HOST PLATFORM virtual network communication VMs (c) 2005, J. E. Smith 8 Process Virtual Machines Constructed at ABI level Runtime manages guest process Guest processes may intermingle with host processes Not persistent As a practical matter, guest and host OSes are often the same Dynamic optimizers are a special case Examples: IA-32 EL, FX!32, Dynamo guest process host process runtime guest process guest process runtime host process runtime create HOST OS file sharing VMs (c) 2005, J. E. Smith Disk network communication 9 High Level Language Virtual Machines Raise the “ABI” level of abstraction • User higher level virtual ISA • OS abstracted as standard libraries A form of process VM HLL Program HLL Program Compiler front-end Intermediate Code Compiler Portable Code ( Virtual ISA ) Compiler back-end VM loader Object Code (ISA) Virt. Mem. Image VM Interpreter/Translator Loader Memory Image Host Instructions Traditional HLL VM VMs (c) 2005, J. E. Smith 10 The Virtual Machine Space Process VMs same ISA Multi programmed Systems Dynamic Binary Optimizers System VMs different ISA same ISA Dynamic Translators Classic OS VMs Whole System VMs HLL VMs Hosted VMs Co-Designed VMs VMs (c) 2005, J. E. Smith different ISA 11 Key Feature – State/Resource Mapping VM SW can Re-map logical to physical state • • • • Via pointers or copying Registers to registers Registers to memory Memory to disk Host Registers Host Register Space Guest Registers Runtime Data Runtime Code Guest Data Host ABI Address Space Guest Code VMs (c) 2005, J. E. Smith 12 Key Feature – Emulation Interpretation • Binary translation and code caching • • • Software loop decodes and dispatches each instruction Translate blocks of instructions at a time Hold translated blocks in code cache With same-ISA scanning/patching is an alternative Staged Emulation • • Emulation techniques invoked in staged manner Based on performance tradeoffs VMs (c) 2005, J. E. Smith 13 Code Caches Contain • • • Basic blocks Superblocks (one entrance, multiple exits) Optimized Superblocks A base technology for many VMs • • • • • • Dynamic binary translators: Intel IA-32 EL, Compaq FX!32 Dynamic binary optimizers: Dynamo family Co-designed virtual machines: Transmeta, IBM DAISY High performance Java virtual machines System VMs with “inefficiently virtualizable” ISAs “Sandboxing” secure VMs (x86 DynamoRIO) VMs (c) 2005, J. E. Smith 14 Code Caching with Chaining Chaining of blocks in code cache minimizes VM overhead Code Cache Super block Dispatch table lookup code Super block Super block Super block VMs (c) 2005, J. E. Smith 15 Staged Emulation An important part of many VM implementations Start Profile interpreting to find “hot”&code Translate, optimize cache regions frequent code sequences Interpreter Profile Data Binary Memory Image Code Cache runtime Translator/ Optimizer VMs (c) 2005, J. E. Smith 16 Key Feature – VMM/Runtime Control Interpretation • • Binary translation and code caching • • • Fine grain control Every dynamic instruction “inspected” before execution Coarser grain control Every static instruction inspected before execution Jumps to VM SW can be inserted anywhere Protection levels • • • Very coarse grain control Every resource-related instruction trapped by protection system Otherwise, use interpretation/translation techniques Used in system VMs to manage resource mappings VMs (c) 2005, J. E. Smith 17 VMM Resource Control in System VMs Application Traps and interrupts (& sys calls) • • • Transfer to VMM VMM determines appropriate Guest OS VMM transfers to Guest OS Guest OS “return” to user app. • • system call/trap Guest OS privileged operation next instruction Transfer to VMM VMM bounces return back to Guest app. virtual vector location: Resource sensitive instructions • • • • Trap to VMM VMM checks correctness VMM reads/modifies guest resource Returns to Guest VMM check privileges perform operation return vector location: VMs (c) 2005, J. E. Smith 18 VMM as a Smart Interconnect Two modes: • • Execution mode VM mode After it gains control • • VM SW can manage resources via state mapping VM SW can alter/enhance functions via emulation apps 2 OS 2 apps 2 OS 2 apps 1 apps 1 apps 1 OS 1 ISA 1 OS 1 OS 1 ISA 1 VMs (c) 2005, J. E. Smith ISA 1 19 Security Many security threats • Worms, viruses, Trojan horses, etc. Typical attack – get access to privileged part of system • • Often with little effort Compromised passwords “Easy” passwords Mechanically repeated efforts Exploit weakness in system software Unchecked accesses to system data structures Can get control in privileged state by causing overflows VMs (c) 2005, J. E. Smith 20 Buffer Overflow User Mode User Mode Supervisor Mode Supervisor Mode User invokes system program with faulty input that causes buffer overflow in stack User invokes system program with normal input System program performs function and returns to user Return address in stack clobbered due to overflow. Vulnerable system program peforms function and returns to illegal address User performs subsequent task System exception! (a) Normal Input (b) Faulty Input VMs (c) 2005, J. E. Smith 21 Malicious Input – Intrusion User Mode Malicious user invokes system program with tailored input that causes buffer overflow in stack Supervisor Mode Return address in stack changed due to overflow. Vulnerable system program peforms function and returns to user-specified address, e.g. address of shell program User gets full control of system through shell program running in supervisor mode VMs (c) 2005, J. E. Smith 22 Intrusion Detection Systems Isolation is not an option • Language-level checking • • Increasing dependence on communication over networks Java, MSIL – range- and type-checking Legacy applications and legacy style not protected Need for Intrusion Detection Systems (IDS) • • • Depend on knowledge of potential attacks Network-based Intrusion Detection Systems (NIDS) Host-based Intrusion Detection Systems (HIDS) VMs (c) 2005, J. E. Smith 23 Host Intrusion Detection Systems Directly examine activity on host • • Knowledge of host operating system Look for repeated attempts To crack password To access unauthorized files, etc. HIDS has significantly better viewpoint compared to NIDS But HIDS can be disabled by attack • Or can provide misleading information VMs (c) 2005, J. E. Smith 24 Monitoring and Recovering from Attacks Importance of understanding attacks • • To recover from an attack To prevent future attacks Logging • • Save information about critical activity on system Know the events that caused the failure Save checkpoint of state of system Reconstruct the attack from a known good state VMs (c) 2005, J. E. Smith 25 Virtual Machines as a Sandbox Fault containment important feature of VMs VM Isolation helps in close examination of attack • Clone system that has been attacked for later analysis Use VM as a “honey-pot” • Permit attacks that can be monitored Production Virtual Machines VM1 VM2 VM3 VM4 Virtual Machine Monitor Hardware VMs (c) 2005, J. E. Smith 26 Virtual Machine for Monitoring Livewire system (Stanford) • Separates IDS from VMM • IDS configures the VMM to monitor activity at more than the usual points Signature of suspicious activity may be specified • After initialization, IDS enters the picture only in analyzing data from suspicious activity • Feedback – suggest new monitoring based on analysis E.g. monitor system call activity after repeated login attempts • May need knowledge of OS to analyze data, e.g. crash dumps VMs (c) 2005, J. E. Smith 27 Livewire IDS IDS Policy Engine Guest Virtual Machine Policy Modules Guest Apps Config File Guest OS Metadata Policy Framework Command Query Response OS Interface Library Guest OS Callback Virtual Machine Monitor Hardware VMs (c) 2005, J. E. Smith 28 Policy Modules in Livewire Polling modules • • • Lie detector module VMM knows hardware state for each virtual machine Lie detector compares this state to the state provided as feedback from intruder User program integrity detector module Compare signatures of memory pages with saved signatures Signature detector module Scan memory with signature of known viruses, Trojan horse programs, etc. Event-driven modules • Memory access enforcer module VMM intercepts attempts to change page access privileges VMs (c) 2005, J. E. Smith 29 Dynamic Binary Rewriting Program shepherding • Control execution of program Prevent program from being attacked Prevent program from being launching point for attacks RIO System (MIT) • • Based on Dynamo binary optimization system Target of every control transfer instruction verified Not to unauthorized locations Only to safe locations VMs (c) 2005, J. E. Smith 30 RIO Dynamic Binary Rewriting System Indirect Branch Lookup Routine Basic Block Cache Superblock Cache Application Mode RIO Mode Dispatch Routine START Basic Block Builder Superblock Selector Two levels of translation Quick translation (basic blocks) • High performance translation (superblocks) • Security Checks All code inspected during translation • All control transfers are checked before caching/table placement • Code cache and map table are protected • Small performance loss • VMs (c) 2005, J. E. Smith 31 Migration of Computing Environments Identical environment at any work location • • Entire state of machine must be transported • • When moving from one location to another E.g. Home to work and back Effect similar to carrying hardware back and forth Physical security has to be taken care of State of processor resources For OS as well as applications Includes active code and data Concept of a capsule • Compressed information about entire system Can be transported from one location to another VMs (c) 2005, J. E. Smith 32 Encapsulation simplified through use of virtual machines Encapsulation has the effect of checkpointing Suspend operation on one platform and resume execution at exactly same point on another platform Apps1 Traditional Data Migration Data Data Virtual Computers Apps2 OS1 OS2 Hardware 1 Hardware 2 Virtual Machine Virtual Machine • Guest Apps Guest OS VM Migration Guest Apps Guest OS Virtual Machine Monitor 1 Virtual Machine Monitor 2 Hardware 1 Hardware 2 VMs (c) 2005, J. E. Smith 33 VMotion (VMware) VC Client (User 1) VC Client (User 2) Migration of virtual machines in commercial environment • • • • • • Load balancing Security, e.g. quarantine attacked machine Co-location Fault-tolerance Power management Maintenance VC Client (User 3) VC Management Server VCagent VM1 VM2 VC Client (User 4) VC Database VCagent VM3 VM4 hostA VM5 VCagent VM6 VM7 hostB Data Store VMs (c) 2005, J. E. Smith VM8 VM9 hostC SAN 34 Migration Steps Step 1: Ensure that VM is stable on current host Step 2: Perform baseline copy • Step 3: Suspend VM on current host Step 4: Perform final copy • Copy of current memory state and data Send incremental capsule containing changes since baseline copy Step 5: Activate VM on new host VMs (c) 2005, J. E. Smith 35 Grids: Virtual Organizations “Participants in P can run Program A” Virtual Organization P “Participants in Q can use idle cycles if budget not exceeded” Multidisciplinary design using programs and data at multiple locations Virtual Organization Q Ray Tracing using cycles provided by cycle-sharing consortium “Participants in P can run Program B” “Participants in P can use Data D” VMs (c) 2005, J. E. Smith 36 Comparison with Conventional VMs Efficient utilization of resources • Similar in motivation to original system VMs Sharing of resources • Grid concerned with sharing of content also Not just sharing of resources Distributed control • Grid has global scope Users negotiate with each other to share and use resources Heterogeneous nodes • Nodes in a grid may be different types of machines Adaptation of applications • Applications may need to be adapted for the grid Portability of applications • Conceptually similar to goals of HLL VMs VMs (c) 2005, J. E. Smith 37 Role of System VMs in a Grid Grid has to manage and schedule resources • However, grid has to deal with heterogeneity • Like an operating system Accounting, for example, is dependent on accounting policies of each grid participant System VM-based approach • Treat a VM as the unit of transactions on a grid Not tasks, or programs ( Figuieredo and Fortes) VMs (c) 2005, J. E. Smith 38 System-VM Based Grid Application Server (Front End F) Information Service V1 V2 V3 Vn Virtual Machines (Back End) The Internet User X Physical ServerP Image Server I Data Server D VMs (c) 2005, J. E. Smith 39 Advantages of SVM based Approach User isolation • • Platform independence • User specifies type of machine, not actual machine Task management and accounting • Protect user from host and other users Protect host from users Simplifies allocation and accounting Allocate based on compute requirements Charge based on performance of VM Portability • • Allows applications to be written for execution on the widest range of platforms Eases encapsulation and migration of jobs between nodes on grid; e.g. Java VMs can be migrated VMs (c) 2005, J. E. Smith 40 Co-Designed Virtual Machines Separate the hardware/software interface from the ISA level of abstraction Restore the ISA to its “natural” place as an Implementation ISA that reflects actual hardware Support existing ISAs as a Virtual ISA Let processor designers use both hardware and software A form of system VM User Applications Applications User libs. libs. OS V-ISA ISA Software I-ISA Hardware Hardware VMs (c) 2005, J. E. Smith 41 Co-Designed VMs Should be of interest to both architects and micro-architects • • • • Offers opportunities for performance, power saving, fault tolerance and other implementationdependent features Allows transcending conventional ISAs IBM Daisy and Transmeta Crusoe Don’t confuse them with VLIW! “pioneers are the ones with arrows in their backs” VMs (c) 2005, J. E. Smith 42 Architecture Issues: Concealed Memory VM software resides in memory concealed from all conventional software concealed memory Code Cache VM Code ICache Hierarchy Processor Core VM Data Source ISA Code conventional memory Source ISA Data DCache Hierarchy VMs (c) 2005, J. E. Smith 43 Another Way of Doing Things conventional Main Memory Translation Unit (form uops) Cache Hierarchy Processor Pipeline Func. Unit Func. Unit . .. Func. Unit Main Memory Software dynamic translation Func. Unit Translator Code Cache Cache Hierarchy Processor Pipeline . .. Translation Unit (form uops) Func. Unit VMs (c) 2005, J. E. Smith 44 Fused Instruction Set Co-designed VM x86 implementation • Combine pairs of dependent instructions • For single “unit” for pipeline processing Use VM software to • • • Shorten and simplify pipeline front-end “Crack” x86 instructions into RISC-ops Re-order RISC-ops Reassemble into (new) fused pairs Related: Pentium-M fuses in front-end • • Using original x86 instructions “Reduced Splitting” is more accurate description VMs (c) 2005, J. E. Smith 45 Fusing Profile About 50% of operations are fused Only 5-10% of non-fused are single-cycle ALU ops 100% 90% Percentage of Dynamic Instructions 80% 70% 60% 50% ALU 40% FP or NOPs 30% BR 20% ST LD 10% Fused 0% VMs (c) 2005, J. E. Smith 46 Performance M0: Base + Code Cache M1:= M0 + fusing M2:= M1 + shorter pipe Macro-op:= M2 + 3-1 ALU 70 50 40 30 20 10 0 -10 16 4.g zip 17 5.v pr 17 6.g cc 18 1.m cf 18 6.c raf ty 19 7.p ars er 25 2.e on 25 3.p erl bm k 25 4.g ap 25 5.v ort ex 25 6.b zip 2 30 0.t wo lf Ha rm on ic Nomarlized IPC speedup (%) 60 VMs (c) 2005, J. E. Smith 47 Summary Many types of VMs • A smart interconnect component • • But common implementation technologies Should be studied/taught as a discipline on its own Alongside OS, Application SW, HW Many avenues for research • • • Lots of applications Architecture meta-issues – What features of OS, Applications, HW are “VM friendly”? E.g. Goldberg work in early 70s for system VMs Primitives for supporting VMs VMs (c) 2005, J. E. Smith 48