virtual machines xen and terra
DESCRIPTION
Virtual Machines Xen and Terra. Rajan Palanivel. Xen and Terra : Papers. Xen and the art of virtualization. -Univ. of Cambridge Terra: A VM based platform for trusted computing. - Stanford Univ. Virtual Machine and Advantages. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/1.jpg)
Virtual Machines Xen and Terra
Rajan Palanivel
![Page 2: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/2.jpg)
Xen and Terra : Papers
Xen and the art of virtualization. -Univ. of Cambridge
Terra: A VM based platform for trusted computing.
- Stanford Univ.
![Page 3: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/3.jpg)
Virtual Machine and Advantages Multiplexing the real machine in to multiple
“virtual” machines. General architecture consist of a software
layer (Monitor) that exposes VMs and various “guest” OSs run on these VMs.
Some Advantages:1. Concurrent execution of different OS on the
same hardware and hence different applications.
2. Resource Isolation.3. Upgrade OS software to a different version
without losing the ability to run older legacy OS and it’s applications.
![Page 4: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/4.jpg)
Types of Monitor. Monitor runs on a higher privilege level than
the guest OS. Sensitive/Privileged instructions. (Ex: MOV) Classified by the amount of guest OS
instructions that are executed by monitor or by the real hardware.
CSIM (Complete software Interpreter machine), Hybrid VM (HVM) and VMM.
VMM : Requires that “Statistically dominant subset of the virtual processor instructions be executed on the real processor” . (Type 1 and Type 2)
Xen –Type 1 VMM.
![Page 5: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/5.jpg)
Type 1 and Type 2 VMMs
Runs directly on hardware
Good performance
Type I VMMHardware
Virtual Machine Monitor
Guest Operating System
Guest Process
Guest Process
Type II VMM
Virtual Machine Monitor
Guest Operating System
Host Operating System
Hardware
Guest Process
Guest Process
Uses existing host OS abstractions to implement services
Poor performance
![Page 6: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/6.jpg)
Full Virtualization Full Virtualization: No modification required
for the guest OS (VMWare’s ESXServer). Drawbacks : (esp. on x86) 1. Sensitive Instructions fail without traps. 2. Need dynamic rewrite of OS kernel. 3. Shadow system structures (performance
issue to sync virtual and shadow structures).4. Guest OS may need both virtual and real
resources. (Time: TCP timeouts and RTT, Machine address for super pages etc).
![Page 7: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/7.jpg)
Xen: Para Virtualization Para Virtualization: Exposed
hardware is similar but not identical to the real machine.
OS modifications required. ABI not changed. (Guest apps run
without changes). High performance. Xen Hypervisor.
![Page 8: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/8.jpg)
Xen
![Page 9: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/9.jpg)
Xen – CPU Xen Hypervisor runs in ring 0. Guest OS runs in a lower privilege level (ring
1). Privileged and sensitive instructions are paravirtualized by requiring them to be validated and executed by hypervisor.
Guest OS protects itself from it’s other processes by running in a separate address space (and separate privilege level).
Trap/Exception handlers are registered with Xen for validation. (Xen checks that the code segment of the handlers will not run in ring 0).
Fast Exception handlers for system calls.
![Page 10: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/10.jpg)
Xen – Memory Management Initial Memory allocation: 1. Static Allocation for each domain.2. Dynamic expansion/contraction possible. Virtualizing memory is Complicated in
x86:1. x86-MMU handles TLB misses by
searching through the page table in the hardware. (No Soft TLB support).
2. TLB flush on context switches. (No tagged TLB support).
![Page 11: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/11.jpg)
Xen – Memory Management Virtual address translation: Page Tables: Allocated and managed by guest
OSs but restricted to read only access. Updates validated and applied by Xen. (via hypercalls)
Xen: Associates a type and reference count with each machine page frame. (PD, PT, LDT, GDT, RW).
Xen exists in the 64 MB section on top of every address space (TLB flush prevented when entering/leaving Xen Hypervisor).
Page fault Handling: (CR2 register) : Pre determined location.
![Page 12: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/12.jpg)
Control /Data / Timers Hypercalls : synchronous calls from
domain to Hypervisor. Domains do privileged operations via hypercalls.
Events: asynchronous notifications delivered via events from Xen to domains. (For delivering h/w interrupts).
Data transfer through Descriptor rings. (Producer – Consumer).
Time and Timers: Real, Virtual and wall-clock.
![Page 13: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/13.jpg)
Xen - Network Xen provides a Virtual Firewall-router (VFR). Each domain has one or more VIFs (virtual
Interfaces) attached logically to VFR. VFR has rules of the form <pattern><action>. Two I/O buffer descriptor rings. (Transmit and
Receive). Trans: Domain updates the transmit descriptor
ring. Xen copies the descriptor and the packet header. Header is inspected by VFR. Payload is not copied (Scatter-gather). Pages are pinned till completion.
Recv: Xen multiplexes/firewalls using VFR and avoids copy by page flipping.
![Page 14: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/14.jpg)
I/O Ring (Transmit or Receive)
![Page 15: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/15.jpg)
Control and Management. Management software runs on a
special guest OS (domain 0). List of parameters to manage
include access control (for i/o devices), amount of physical memory per domain, VFR rules etc.
Mgmt software uses control interfaces provided by Xen.
![Page 16: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/16.jpg)
Xen – Relative Performance
![Page 17: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/17.jpg)
Xen – Network Performance
![Page 18: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/18.jpg)
Xen - Performance
Multiple Apache processes in Linux
vs.
One Apache process in each guest OS
![Page 19: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/19.jpg)
Terra: Goals Goal is to run applications with wide range
of security requirements simultaneously. Multiple Closed platforms on general
purpose hardware. Software stack is tailored from hardware
interface up to meet the security requirements of it’s applications.
Isolation and authentication.
![Page 20: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/20.jpg)
Terra - TVMM Trusted VMM (TVMM). Facilitates Open and Closed box VMs. Open box VM runs regular commodity
applications. Closed box VMs provide hardware
memory protection. (Isolation) Cryptographic authentication
(Attestation). TVMM acts as a trusted party to authenticate the software running in a VM to remote parties.
![Page 21: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/21.jpg)
Terra – Architecture. Two VM abstractions (Open and close). Contents of closed box cannot be
inspected or manipulated by the platform owner.
Provides Isolation, Extensibility, Efficiency, Compatibility and Security.
Extra features by Terra: Root Secure, Attestation and Trusted path.
![Page 22: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/22.jpg)
Terra - Architecture
![Page 23: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/23.jpg)
Terra – Attestation and VM Identity Attestation: Application in a closed box VM
authenticates itself to remote parties. Authenticates who built the hardware and
what layers of software are running on the machine.
Building a certificate chain (H/w -> BIOS -> boot loader -> TVMM -> VM -> Apps).
Terra uses a tamper resistant hardware (TPM). (Embedded private key)
![Page 24: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/24.jpg)
Terra – Attestation
FirmwareFirmware
Boot LoaderBoot Loader
TVMMTVMMENDORSE
API CALLAPI CALL
SIGNED CERTIFICATE
HardwareHardware
VMVM
![Page 25: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/25.jpg)
Terra : Example Attestation TLS/SSL Session between Quicken and
Remote bank server. Client sends the attestation certificate chain
during TLS Handshake.1. Lowest certificate (of h/w) in the chain is from a
trusted authority.2. All hashes in the chain are on the list of remote
server’s list of authorized software. (trustable BIOS, boot loader, TVMM)
3. Topmost certificate (containing the hash of quicken) is on the list of authorized version.
If all the checks are valid, then TLS is completed and session key exchanged.
![Page 26: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/26.jpg)
Privacy Attestation process identifies the
machine! (privacy concerns). Privacy CA (PCA): User’s machine send an
attested cert request to PCA and PCA issues an anonymized cert for attestation.
Other issues : DRM etc. – Media servers may release content only to platforms that would prevent copying, expire the media after certain time etc.
![Page 27: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/27.jpg)
Terra – Device Driver Security. Drivers have the most security holes.. Hardware memory protection + chipset
protection can prevent drivers from DMA ing to other address spaces.
NGSCB architecture: 1. Runs in a curtained memory protected
from DMA attacks and from untrusted OS.2. Leverages device drivers of the untrusted
OS (running in an open box VM) via an explicit interface in the untrusted Os kernel.
![Page 28: Virtual Machines Xen and Terra](https://reader036.vdocuments.mx/reader036/viewer/2022070401/56813689550346895d9e1422/html5/thumbnails/28.jpg)
Q & A.
QA