Hypervisors and Next Generation

Virtualization

William StricklandCOT4810 Spring 2008

February 7, 2008

Overview

Origins Details Typical Usage Dark Side Darker Still In Better Hands

Origins

Hypervisor also known as Virtual Machine Monitor.

Software emulating hardware to operating systems.

First developed for Servers and Mainframes by IBM.

Due to plentiful hardware not widely used, but fundamental method of virtualization.

Details: Native Hypervisor

Hypervisor directly on top of hardware. Emulates hardware to operating systems. Difficult to implement.

Details: Hosted Hypervisor

Runs under host operating system. Easier to implement. Less efficient.

Details: x86 Architecture

Instruction levels (rings) 0 to 3.

Operating Systems use lowest ring (ring 0).

Hardware does not support virtualization.

Details: x86 Virtualization

Support traditionally from layers of software to emulate privileged commands.

Recent additions by AMD and Intel provide Virtualization support of hypervisors.

Hypervisor code runs below operating systems and assumes control of hardware.

Details: OS Paravirtualization

Operating system to be virtualized is modified with hypervisor awareness.

Avoids using commands that must be emulated, thus improving performance.

Simplifies Hypervisor design and implementation.

Typical Usage

Machine Consolidation - More machines in one, for mutually exclusive function.

Sandboxing – performing dangerous actions in contained environment.

Whole System Mobility – moving whole system around.

Dark side: VM rootkit

Whole OS can be under command of software entity.

Concerns Cross platform. No way to breach VM.

Limitations On typical x86 hardware, hard to put an incumbent

operating system into VM. Can detect if running in VM.

Darker Still: Blue Pill

New hardware support of hypervisors allows machine to be subverted much more easily.

Concerns Act as stealthier rootkit. Hypervisor invisible to rest of system.

Limitations Limited targets. Can be detected, probably.

Typical Rootkit

Typical Rootkit

Typical Rootkit

Typical Rootkit

Typical Rootkit

Typical Rootkit

Hypervisor Rootkit

Hypervisor Rootkit

Hypervisor Rootkit

Hypervisor Rootkit

Hypervisor Rootkit

In Better Hands

Enforce Kernel protection; stop kernel hooking.

Prevent rootkits (including hypervisor based).

Better security implementation allowing more isolation of critical systems.

References

“Blue Pill” August 24, 2006. Podcast. “Security Now!.” grc.com. 27 August 2006. <https://www.grc.com/securitynow.htm>.

Dorman, Andy. "Intel VT vs. AMD Pacifica." IT Architect Nov 2005: 51-57. Greene, Jay. "Microsoft Revives Virtualization Push." Business Week

Online 23 Jan 2008: 28. Marshall, David, Wade A. Reynolds, and Dave McCrory. Advanced Server

Virtualization. Boca Raton, FL: Auerbach Publications, 2006. Popek, Gerald J., and Robert P. Goldberg. "Formal requirements for

virtualizable third generation architectures." Communications of the ACM 17.7(1974): 412-421.

Rosenblum, Mendel, and Tal Garfinkel. "Virtual Machine Monitors: Current Technology and Future Trends." Computer 38.5(2005): 39-47.

Vaas, Lisa. "Blue Pill at Black Hat." eWeek 13 June 2007: 10. Whitaker, Andrew, et al. Gribble."Rethinking the Design of Virtual Machine

Monitors." Computer 38.5(2005): 57-62.

Questions

At what ring does the kernel of a 32-bit x86 operating system run?

True or false, paravirtualization can run improve performance of an unmodified operating system?