Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Virtual Machines and their Applications CSE 598C Paper Title: Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor Presented By: Angshuman Parashar VM model Simplescalar Photoshop DB2 World of Warcraft AIX Linux OMG LOLOLOL!!1!1 n00b MacOS VMM VMM Windows x86 x86 Classic System VMM (Type I) Hosted System VMM (Type II) 2 Sensitive and Privileged Instructions • Sensitive: Interfere with state of underlying VMM or host OS • Privileged: Trap if executed in nonprivileged mode • If Sensitive ⊆ Privileged, processor is virtualizable 3 x86 Privilege Levels Ring 3 Ring 3 User Level Tasks User Level Tasks Ring 2 Ring 2 Ring Compression Ring 1 Ring 0 Operating System Ring 1 Operating System Ring 0 VMM 4 Virtualization Requirements 1. Instruction execution equivalent across privilege levels ✓ 2. Memory Protection (e.g. Address Translation) ✓ 3. Trap and Emulate Sensitive Instructions: Instructions that… A. … access VM state ✓ B. … access Sensitive Registers (clock, interrupt) X C. … access Protection/Translation system X D. … perform I/O ✓ 5 17 Sensitive Unprivileged Instructions SGDT SIDT SLDT LAR LSL VERR VERW CALL JMP INT n RET PUSH POP STR SMSW PUSHF POPF MOVE 6 Some interesting cases • SMSW: stores CR0 into a GPR or memory – CR0 bit 0 = Protection Enable – Consider VMOS running in real mode, checks PE bit, panics • POPF: pops flags from stack into EFLAGS register – Different bits have different privileges – No exceptions are generated on privilege violation! 7 Some interesting cases (contd.) • Some instructions check if CPL > DPL – VM runs in CPL > 0 – VMOS assumes it is running at CPL 0 • PUSH: pushes a register onto stack – CS and SS contain CPL of currently running task – Process thinks it is running at CPL 0, pushes CS, then checks • CALL across privilege levels – Again, CPL vs. DPL checks 8 Solutions • Recompile the OS – Paravirtualization – Xen, Plex86 • Dynamically Monitor and Alter the OS – Runtime Binary Translation – Inserts breakpoints at certain critical locations – Dynamic branches and Self-Modifying Code are a headache – VMWare, FreeMWare (evolved into Plex86) • Update the Hardware – Hardware Assist – Intel VT, AMD Pacifica 9 Security Concerns • Current VMMs’ claims of “isolation” and “confinement” are bogus • Potential Loopholes: – Sharing • Floppy drives • Network and Files – Virtual file systems, Ports maintained as files on host system (Type II) – Tools and Utilities (mouse pointer in VMWare) – Host OS insecure • Conclusion: Type II risky, Type I feasible with a microkernel – Hardware Assist would be helpful 10 Overview of Intel VT Ring 3 User Level Tasks Ring 2 Non-Root Mode Ring 1 VM Entry VM Exit Ring 0 Root Mode Operating System Virtual Machine Monitor 11 Overview of Intel VT (contd.) • VM data is stored in a VM Control Structure (similar to task_struct) • Certain events cause unconditional VMexits (CPUID, RDMSR etc.) • Some faults always cause OS traps (invalid opcodes, privilege level faults etc.) • Several events can be configured by VMM to either cause guest OS trap or VM-exit (external pin interrupts, privileged instructions, etc.) 12 Backup Slides 13 Type II Issues • Host OS cannot invalidate Requirement 1 (huh?) • Host OS should be protected from all VMs • Security: Secure VMM will require secure host OS 14