Virtual Machines Xen and Terra

Rajan Palanivel

Xen and Terra : Papers

Xen and the art of virtualization. -Univ. of Cambridge

Terra: A VM based platform for trusted computing.

- Stanford Univ.

Virtual Machine and Advantages Multiplexing the real machine in to multiple

“virtual” machines. General architecture consist of a software

layer (Monitor) that exposes VMs and various “guest” OSs run on these VMs.

Some Advantages:1. Concurrent execution of different OS on the

same hardware and hence different applications.

2. Resource Isolation.3. Upgrade OS software to a different version

without losing the ability to run older legacy OS and it’s applications.

Types of Monitor. Monitor runs on a higher privilege level than

the guest OS. Sensitive/Privileged instructions. (Ex: MOV) Classified by the amount of guest OS

instructions that are executed by monitor or by the real hardware.

CSIM (Complete software Interpreter machine), Hybrid VM (HVM) and VMM.

VMM : Requires that “Statistically dominant subset of the virtual processor instructions be executed on the real processor” . (Type 1 and Type 2)

Xen –Type 1 VMM.

Type 1 and Type 2 VMMs

Runs directly on hardware

Good performance

Type I VMMHardware

Virtual Machine Monitor

Guest Operating System

Guest Process

Guest Process

Type II VMM

Virtual Machine Monitor

Guest Operating System

Host Operating System

Hardware

Guest Process

Guest Process

Uses existing host OS abstractions to implement services

Poor performance

Full Virtualization Full Virtualization: No modification required

for the guest OS (VMWare’s ESXServer). Drawbacks : (esp. on x86) 1. Sensitive Instructions fail without traps. 2. Need dynamic rewrite of OS kernel. 3. Shadow system structures (performance

issue to sync virtual and shadow structures).4. Guest OS may need both virtual and real

resources. (Time: TCP timeouts and RTT, Machine address for super pages etc).

Xen: Para Virtualization Para Virtualization: Exposed

hardware is similar but not identical to the real machine.

OS modifications required. ABI not changed. (Guest apps run

without changes). High performance. Xen Hypervisor.

Xen

Xen – CPU Xen Hypervisor runs in ring 0. Guest OS runs in a lower privilege level (ring

1). Privileged and sensitive instructions are paravirtualized by requiring them to be validated and executed by hypervisor.

Guest OS protects itself from it’s other processes by running in a separate address space (and separate privilege level).

Trap/Exception handlers are registered with Xen for validation. (Xen checks that the code segment of the handlers will not run in ring 0).

Fast Exception handlers for system calls.

Xen – Memory Management Initial Memory allocation: 1. Static Allocation for each domain.2. Dynamic expansion/contraction possible. Virtualizing memory is Complicated in

x86:1. x86-MMU handles TLB misses by

searching through the page table in the hardware. (No Soft TLB support).

2. TLB flush on context switches. (No tagged TLB support).

Xen – Memory Management Virtual address translation: Page Tables: Allocated and managed by guest

OSs but restricted to read only access. Updates validated and applied by Xen. (via hypercalls)

Xen: Associates a type and reference count with each machine page frame. (PD, PT, LDT, GDT, RW).

Xen exists in the 64 MB section on top of every address space (TLB flush prevented when entering/leaving Xen Hypervisor).

Page fault Handling: (CR2 register) : Pre determined location.

Control /Data / Timers Hypercalls : synchronous calls from

domain to Hypervisor. Domains do privileged operations via hypercalls.

Events: asynchronous notifications delivered via events from Xen to domains. (For delivering h/w interrupts).

Data transfer through Descriptor rings. (Producer – Consumer).

Time and Timers: Real, Virtual and wall-clock.

Xen - Network Xen provides a Virtual Firewall-router (VFR). Each domain has one or more VIFs (virtual

Interfaces) attached logically to VFR. VFR has rules of the form <pattern><action>. Two I/O buffer descriptor rings. (Transmit and

Receive). Trans: Domain updates the transmit descriptor

ring. Xen copies the descriptor and the packet header. Header is inspected by VFR. Payload is not copied (Scatter-gather). Pages are pinned till completion.

Recv: Xen multiplexes/firewalls using VFR and avoids copy by page flipping.

I/O Ring (Transmit or Receive)

Control and Management. Management software runs on a

special guest OS (domain 0). List of parameters to manage

include access control (for i/o devices), amount of physical memory per domain, VFR rules etc.

Mgmt software uses control interfaces provided by Xen.

Xen – Relative Performance

Xen – Network Performance

Xen - Performance

Multiple Apache processes in Linux

vs.

One Apache process in each guest OS

Terra: Goals Goal is to run applications with wide range

of security requirements simultaneously. Multiple Closed platforms on general

purpose hardware. Software stack is tailored from hardware

interface up to meet the security requirements of it’s applications.

Isolation and authentication.

Terra - TVMM Trusted VMM (TVMM). Facilitates Open and Closed box VMs. Open box VM runs regular commodity

applications. Closed box VMs provide hardware

memory protection. (Isolation) Cryptographic authentication

(Attestation). TVMM acts as a trusted party to authenticate the software running in a VM to remote parties.

Terra – Architecture. Two VM abstractions (Open and close). Contents of closed box cannot be

inspected or manipulated by the platform owner.

Provides Isolation, Extensibility, Efficiency, Compatibility and Security.

Extra features by Terra: Root Secure, Attestation and Trusted path.

Terra - Architecture

Terra – Attestation and VM Identity Attestation: Application in a closed box VM

authenticates itself to remote parties. Authenticates who built the hardware and

what layers of software are running on the machine.

Building a certificate chain (H/w -> BIOS -> boot loader -> TVMM -> VM -> Apps).

Terra uses a tamper resistant hardware (TPM). (Embedded private key)

Terra – Attestation

FirmwareFirmware

Boot LoaderBoot Loader

TVMMTVMMENDORSE

API CALLAPI CALL

SIGNED CERTIFICATE

HardwareHardware

VMVM

Terra : Example Attestation TLS/SSL Session between Quicken and

Remote bank server. Client sends the attestation certificate chain

during TLS Handshake.1. Lowest certificate (of h/w) in the chain is from a

trusted authority.2. All hashes in the chain are on the list of remote

server’s list of authorized software. (trustable BIOS, boot loader, TVMM)

3. Topmost certificate (containing the hash of quicken) is on the list of authorized version.

If all the checks are valid, then TLS is completed and session key exchanged.

Privacy Attestation process identifies the

machine! (privacy concerns). Privacy CA (PCA): User’s machine send an

attested cert request to PCA and PCA issues an anonymized cert for attestation.

Other issues : DRM etc. – Media servers may release content only to platforms that would prevent copying, expire the media after certain time etc.

Terra – Device Driver Security. Drivers have the most security holes.. Hardware memory protection + chipset

protection can prevent drivers from DMA ing to other address spaces.

NGSCB architecture: 1. Runs in a curtained memory protected

from DMA attacks and from untrusted OS.2. Leverages device drivers of the untrusted

OS (running in an open box VM) via an explicit interface in the untrusted Os kernel.

Q & A.

QA