Embed Size (px)
Citation preview
VIRTUALIZATION AND CLOUD SECURITY – UNIT II Dr. N. Sandeep Varma, Ph.D.
Contents
¨ Architectural styles for cloud applications
¨ Workflows - coordination of multiple activities
¨ Coordination based on a state machine model : ZooKeeper
¨ The MapReduce programming model
¨ Virtualization
Virtualization - Contents
¨ Virtualization
¨ Layering
¨ Virtual Machines
¨ Full Virtualization & Para Virtualization
¨ Hardware Support Virtualization
Glimpse of Computing Systems
¨ Interpreters ¨ Memory ¨ Communication links
Processors : Transform information
Memory : Primary and Secondary for storing information Communication Channels : Different systems communicate in
terms of bandwidth, latency and
physical characteristics
Operating Systems : Manage System Resources
Computing Systems
Virtualization Need - Background
¨ Complex Systems ¨ Number of users are going ¨ Applications diversity ¨ Resources are oversubscribed ¨ Users are not cooperative ¨ Heterogeneity of Hardware and Software Systems ¨ Failure rate of different components
Solution - 1
¨ Traditional Way Data Centers install standard operating systems on
individual systems and rely on conventional OS techniques. Advantages Resource Sharing Application Protection Performance Isolation Challenge : Application Development & Performance Optimization
Solution - 2
¨ Resource Virtualization
q Virtualization is a basic tenet of cloud computing, it simplifies the management of physical resources for the three abstractions.
q The state of a virtual machine (VM) running under a virtual machine monitor (VMM) can de saved and migrated to another server to balance the load.
q Virtualization allows users to operate in environments they are familiar with, rather than forcing them to idiosyncratic ones
Virtualization (Contd.,)
¨ Multiplexing: creates multiple virtual objects from one instance of a physical object.
Example - a processor is multiplexed among a number of processes or threads.
¨ Aggregation: creates one virtual object from multiple physical objects. ¤ Example - a number of physical disks are aggregated into a RAID disk.
¨ Emulation: constructs a virtual object from a different type of a physical object.
¤ Example - a physical disk emulates a Random Access Memory (RAM).
¨ Multiplexing and emulation.
¤ Examples - virtual memory with paging multiplexes real memory and disk; a virtual address emulates a real address.
Layering
q Layering – a common approach to manage system complexity
¤ Minimizes the interactions among the subsystems of a complex system. ¤ Simplifies the description of the subsystems; each subsystem is abstracted
through its interfaces with the other subsystems. ¤ We are able to design, implement, and modify the individual subsystems
independently.
q Layering in a computer system. ¤ Hardware. ¤ Software.
n Operating system. n Libraries. n Applications.
Application Programming Interface, Application Binary Interface, and Instruction Set Architecture
Layering (Contd.,)
¨ Instruction Set Architecture (ISA) – Boundary between hardware and software.
¨ Application Binary Interface (ABI) – allows the ensemble consisting of the application and the library modules to access the hardware; the ABI does not include privileged system instructions, instead it invokes system calls.
¨ Application Program Interface (API) - defines the set of instructions the hardware was designed to execute and gives the application access to the ISA; it includes High Level Language (HLL) library calls which often invoke system calls.
Code Portability
Binaries created by a compiler for a specific ISA and a specific operating systems are not portable. HLL program for a virtual machine (VM) environment where portable code is produced A dynamic binary translation converts blocks of guest instructions from the portable code to the host instruction Significant performance improvement, as such blocks are cached and reused
¨ Virtualization is way to run multiple operating systems and user applications on the same hardware ¤ E.g., run both Windows and Linux on the same laptop
¨ How is it different from dual-boot? ¤ Both OSes run simultaneously
¨ The OSes are completely isolated from each other
Assignment - Groups of Two
¨ Try creating VMS of your Interest Choose The software Choose VM image Select RAM & Space Run the VM Install a Webserver Run a simple PHP Script
(Communicate with Both HOST and GUEST OS)
Types of Hypervisor
• Hypervisor (or VMM – Virtual Machine Monitor) is a software layer that allows several virtual machines to run on a physical machine
• The physical OS and hardware are called the Host
• The virtual machine OS and applications are called the Guest
VMware ESX, Microsoft Hyper-V
Hardware
Hypervisor
VM1 VM2
Type 1 (bare-metal)
Host
Guest
Hardware
OS
Process Hypervisor
VM1 VM2
Type 2 (hosted)
VMware Workstation, Microsoft Virtual PC, Sun VirtualBox, QEMU, KVM
Host
Guest
Bare Metal Vs Hosted
¨ Bare-metal ¤ Has complete control over hardware ¤ Doesn’t have to “fight” an OS
¨ Hosted ¤ Avoid code duplication: need not code a process scheduler,
memory management system – the OS already does that ¤ Can run native processes alongside VMs ¤ Easy management – starting and stopping a VM
¨ A combination ¤ Mostly hosted, but some parts are inside the OS kernel for
performance reasons ¤ E.g., KVM
Running VMS – Solution 1 - Emulate!
¨ Do whatever the CPU does but in software ¨ Fetch the next instruction ¨ Decode – is it an ADD, a XOR, a MOV? ¨ Execute – using the emulated registers and memory
Example: addl %ebx, %eax is emulated as: enum {EAX=0, EBX=1, ECX=2, EDX=3, …}; unsigned long regs[8]; regs[EAX] += regs[EBX];
¨ Pro:
¤ Simple! ¨ Con:
¤ Slooooooooow ¨ Example hypervisor: BOCHS
Solution 2 – Trap & Emulate!
¨ Run the VM directly on the CPU – no emulation! ¨ Most of the code can execute just fine
¤ E.g., addl %ebx, %eax
¨ Some code needs hypervisor intervention int $0x80 movl something, %cr3 I/O
¨ Trap and emulate it! ¤ E.g., if guest runs int $0x80, trap it and execute guest’s
interrupt 0x80 handler
¨ Pro: ¤ Performance!
¨ Cons: ¤ Harder to implement ¤ Need hardware support
n Not all “sensitive” instructions cause a trap when executed in usermode n E.g., POPF, that may be used to clear IF n This instruction does not trap, but value of IF does not change!
¤ This hardware support is called VMX (Intel) or SVM (AMD) ¤ Exists in modern CPUs
¨ Example hypervisor: KVM
Solution 3 - Dynamic (binary) translation!
¨ Take a block of binary VM code that is about to be executed
¨ Translate it on the fly to “safe” code (like JIT – just in time compilation)
¨ Execute the new “safe” code directly on the CPU ¨ Translation rules?
¤ Most code translates identically (e.g., movl %eax, %ebx translates to itself)
¤ “Sensitive” operations are translated into hypercalls n Hypercall – call into the hypervisor to ask for service n Implemented as trapping instructions (unlike POPF) n Similar to syscall – call into the OS to request service
23
How to run a VM? Dynamic (binary) translation! (Contd.,) ¨ Pros:
¤ No hardware support required ¤ Performance – better than emulation
¨ Cons: ¤ Performance – worse than trap and emulate ¤ Hard to implement – hypervisor needs on-the-fly x86-to-
x86 binary compiler
¨ Example hypervisors: VMware, QEMU
Paravirtualization
¨ Does not run unmodified guest OSes ¨ Requires guest OS to “know” it is running on top of
a hypervisor
¨ E.g., instead of doing cli to turn off interrupts, guest OS should do hypercall(DISABLE_INTERRUPTS)
Processor-Level Virtualization
VMware, Virtual Box, QEMU, Rosetta ¨ Translate machine instructions of the guest processor
to run on the host system
¨ Fast translation schemes: binary translation, code caches, adaptive translation, binary-level optimization, link-time optimization
Language-Level Virtualization
¨ Abstract machine integrated into the semantics of a programming language
JVM (Sun Java) ECMA CLI (MS .NET) ¨ Portability, ¨ code size improvements, ¨ original dynamic optimizations ¨ High-productivity features (garbage collection,
distributed components) ¨ Sandbox (robustness, security management, fault-
tolerance)
Process VM
¨ A process VM is a virtual platform that executes an individual process
¨ The virtualizing s/w that implements a process VM is called as ‘runtime software’
¨ The virtualizing s/w is at the ABI level ¨ Not persistent
System VM
¨ Provides a complete persistent system environment ¨ Supports an OS along with its many user processes ¨ The virtualizing s/w that implements a system VM is
called as ‘virtual machine monitor ’ ¨ Provides the guest OS with access to virtual resources
¨ Variety of techniques and approaches available ¨ Critical technology space highlighted
API interface ABI interface
Hardware support for virtualization
o In early 2000 - that hardware support for virtualization was necessary: Intel and AMD started work on the first-generation virtualization extensions of the x86 architecture.
o 2005 Intel released two Pentium 4 models supporting VT-x
o 2006 AMD announced Pacifica and then several Athlon 64 models.
o Software solutions - addressed some of the challenges, but o Hardware solutions - could improve both performance and
security. at the same time, simplify the software systems.
The problems faced by virtualization of the x86 architecture:
n Ring deprivileging - a VMMs forces the guest software, operating system and the applications to run at a privilege level greater than 0.
n Ring aliasing - a guest OS is forced to run at a privilege level other than that it was originally designed for.
n Address space compression - a VMM uses parts of the guest address space to store several system data structures.
n Non-faulting access to privileged state - several store instructions can only be executed at privileged level 0 because they operate on data structures that control the CPU operation. They fail silently when executed at a privilege level other than 0.
n Guest system calls which cause transitions to/from privilege level 0 must be emulated by the VMM.
n Interrupt virtualization - in response to a physical interrupt, the VMM generates a ``virtual interrupt'' and delivers it later to the target guest OS which can mask interrupts.
Virtualization of x86 architecture (cont’d)
32
n Access to hidden state - elements of the system state, e.g., descriptor caches for segment registers, are hidden; there is no mechanism for saving and restoring the hidden components when there is a context switch from one VM to another.
n Ring compression - paging and segmentation protect VMM code from being overwritten by guest OS and applications. Systems running in 64-bit mode can only use paging, but paging does not distinguish between privilege levels 0, 1, and 2, thus the guest OS must run at privilege level 3, the so called (0/3/3) mode. Privilege levels 1 and 2 cannot be used thus, the name ring compression.
n The task-priority register is frequently used by a guest OS; the VMM must protect the access to this register and trap all attempts to access it. This can cause a significant performance degradation.
n Itanium architecture – similar problems
VT-x, a major architectural enhancement
33
n Supports two modes of operations: ¨ VMX root - for VMM operations. ¨ VMX non-root - support a VM.
n The Virtual Machine Control Structure (VMCS) including : host-state and guest-state areas.
¨ VM entry - the processor state is loaded from the guest-state of the VM scheduled to run; then the control is transferred from VMM to the VM.
¨ VM exit - saves the processor state in the guest-state area of the running VM; then it
loads the processor state from the host-state area, finally transfers control to the VMM.
VT-x
¨ VM entry - the processor state is loaded from the guest-state of the VM scheduled to run; then the control is transferred from VMM to the VM.
¨ VM exit - saves the processor state in the guest-state area of the running VM; then it loads the processor state from the host-state area, finally transfers control to the VMM.
VT- x
VMX root VMX non-root
VM entry
VM exit
Virtual-machine control structure
(a) (b)
host-state
guest-state
• Each VM exit operation - saves the reason for the exit and, eventually, some qualifications
in VMCS. • Some of this information is stored as bitmaps.
For example, the exception bitmap specifies which one of 32 possible exceptions caused the exit.
• The I/O bitmap contains one entry for each port in a 16-bit I/O space.
VT-d, a new virtualization architecture
36
n I/O MMU virtualization - gives VMs direct access to peripheral devices.
n VT-d supports: ¨ DMA address remapping, address translation for device DMA transfers. ¨ Interrupt remapping, isolation of device interrupts and VM routing. ¨ I/O device assignment, the devices can be assigned by an
administrator to a VM in any configurations.
¨ Reliability features, it reports and records DMA and interrupt errors that may otherwise corrupt memory and impact VM isolation.
VT-c, a new virtualization architecture
¨ Supports network virtualization.
o Xen - VMM or hypervisor developed by the Computing Laboratory at the University of Cambridge, United Kingdom, in 2003.
o Since 2010 Xen has been free software, developed by the community of users and licensed under the GNU General Public License (GPLv2).
37
Xen - a VMM - Para virtualization
38
n The goal of the Cambridge group - design a VMM capable of scaling to about 100 VMs running standard applications and services without any modifications to the Application Binary Interface (ABI).
n Linux, Minix, NetBSD, FreeBSD, NetWare, and OZONE can operate as paravirtualized Xen guest OS running on x86, x86-64, Itanium, and ARM architectures.
n Xen domain - ensemble of address spaces hosting a guest OS and
¨ Applications running under the guest OS.
Runs on a virtual x86CPU. ¨ Dom0 - dedicated to execution of Xen control functions and privileged instructions. ¨ DomU - a user domain.
n Applications make system calls using hypercalls processed by Xen; n privileged instructions issued by a guest OS are paravirtualized and must be validated by
Xen.
Uses of Virtualization
¨ Server consolidation ¤ Run a web server and a mail server on the same physical
server
¨ Easier development ¤ Develop critical operating system components (file system,
disk driver) without affecting computer stability
¨ QA ¤ Testing a network product (e.g., a firewall) may require tens
of computers ¤ Try testing thoroughly a product at each pre-release
milestone
More information
¨ https://en.wikipedia.org/wiki/Comparison_of_platform_virtualization_software
