Virtual machines
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,049
On Slideshare
1,049
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Virtual machines The State of the Art Bachelor Thesis for Computer Science Erik van der Kouwe Student number 1397273 E-mail: erik@erisma.nl Vrije Universiteit Amsterdam Faculteit Exacte Wetenschappen Afdeling Wiskunde en Informatica Supervised by Andrew S. Tanenbaum 30 July 2006
  • 2. Virtual machines – the state of the art – 30 July 2006 allowed, since the hardware is shared with guest Abstract operating systems running on other virtual machines. A program called virtual machine monitor (VMM) Virtual machine monitors partition a single physical or hypervisor is needed to make sure all resources machine into multiple virtual ones. This can be are shared properly. useful for several important applications, such as running multiple isolated servers on a single The role of a VMM dividing resources between machine, testing and debugging software, using operating systems differs from that of a kernel possibly malicious software and building honeypots. dividing resources between applications. The main difference is that the latter typically provides an The widely used IA-32 architecture does not abstraction of physical devices, while the former natively support virtualisation. We compare several does not change the abstraction level [16]. The state-of-the-art methods used to circumvent this VMM should present a faithful low-level interface to problem. Our comparison includes dynamic binary virtualised hardware. translation, paravirtualisation, previrtualisation, operating system level partitioning, application The VMM itself may have full hardware access, but virtual machines and the it can also can be a recent “Virtual Machine normal application Extensions” added to running on an operating IA-32 by Intel. Our system. In this case the App App App App criteria for this operating system on comparison include which the VMM runs is performance, Guest OS Guest OS called the host operating robustness, relationship system. This situation is Virtual hardware Virtual hardware shown in figure 1. with the host operating system and portability. Virtual machine 1 Virtual machine 2 We use the results of the Why are virtual Virtual machine monitor comparison to determine machines useful? which techniques are Host operating system Virtual machines have most suitable for which many practical uses in applications. We find Hardware many different kinds of that the new hardware Physical machine environments. virtualisation support looks very promising for Figure 1: A computer running two virtual machines Servers many applications, but may not completely replace other methods. One can use virtual machines to run multiple isolated virtual servers on a single physical server. This allows hardware to be used more efficiently 1 Introduction and decreases hardware costs. For an internet hosting company this can be used to allow customers full access to a virtual server without What is a virtual machine? endangering other servers on the same physical Virtualisation is a technique which allows one to machine. partition a computer system in multiple completely Another advantage of using virtual servers is the fact separate systems. Each of these provides a software that they can easily be moved to other computers. environment which is very similar to that of a Typically the interface to the virtualised hardware complete computer. Such an environment is called a does not depend on the actual hardware, so the guest virtual machine (VM). operating system does not even notice the move. One will typically want to install an operating This can be used to minimise downtime after system on a virtual machine to be able to run restoring a backup to different hardware. applications. This guest operating system assumes that it has complete control of the computer, and it Software development will attempt to access it's hardware. This cannot be Virtual machines have their uses in software 2
  • 3. Virtual machines – the state of the art – 30 July 2006 development as well. They provide a way to switch discusses advantages and disadvantages of full between different (versions of) operating systems system virtualisation and paravirtualisation. easily and quickly. This is very useful for testing and In-depth articles comparing virtual machines are debugging software on multiple platforms. typically limited to a single technique. An example VMMs may also allow the user to make snapshots of is Gaugh [5], who compares the Java Virtual virtual machines. This means one can test something Machine and .NET, which are both application and revert the machine to it's original state virtual machines. Ars Technica [2] compares two afterwards. This is again very useful for testing and major dynamic binary translation VMMs, but debugging. considers only performance and ease of use. Yet another application for development is to debug A large comparison table of virtualisation software low-level software, such as kernels. A VMM could is found on Wikipedia [21]. This table provides a provide a kernel debugger with much information simple overview over the basic characteristics of about what is going on. It also makes recovery from many virtualisation programs. The comparison crashes easier, since one can simply use a previous focusses more on software than on techniques and snapshot. more on features than on applications. Note that, at the moment of writing, this article is considered to Untrusted software be in need of expert attention and clean-up. Another application which is especially useful nowadays is the ability to run untrusted software in 3 Theoretical background an environment where it can do no damage. Examples are running potential malware downloaded from the Internet and opening Popek and Goldberg suspicious e-mail attachments. If the VMM is secure Popek and Goldberg [13] investigated sufficient enough, there is no way for malware and viruses to conditions which allow a computer architecture to infect the physical machine or other virtual support virtual machines. They defined a virtual machines. machine as “an efficient, isolated duplicate of the real machine”. Although their research was Honeypots motivated by the question why IBM 360/67 could Finally virtual machines provide an easy way to support virtual machines while DEC PDP-10 could build secure “honeypots”. These are unprotected not, their criterion still applies to modern machines which are connected to the Internet. The architectures. purpose is to get information about new methods to Central to Popek and Goldberg's theorem is the exploit flaws in operating systems and applications. distinction between supervisor and user modes. The By using virtual honeypots, these exploits are less supervisor mode allows complete access to the likely to do damage to the system inself. This may machine and is typically used by operating system make investigation and recovery easier. They also kernels and VMMs, while the user mode is more allow having multiple honeypots with different limited and is typically used by applications. They (versions of) operating systems running further define a trap operation, which places the simultaneously. processor in a stored state (typically the supervisor mode) while saving the current state. 2 Related work Popek and Goldberg consider some properties that There are several papers comparing different individual instructions can have: virtualisation techniques. Kiyanclar [10] compares ● A privileged instruction performs a trap several virtualisation programs to select the one operation in user mode, but does not trap in which is most suitable for secure on-demand cluster supervisor mode; computing. His criteria are similar to ours. Nanda and Chiueh [12] discuss some implementation ● A control sensitive instruction can change details for a large number of VMMs. Both focus the operating mode or virtual memory more on specific implementations than on mappings; characteristics inherent to techniques. Rose [15] ● A behaviour sensitive instruction executes in 3
  • 4. Virtual machines – the state of the art – 30 July 2006 different ways depending on operating mode We will also discuss two approaches which are or virtual memory mappings; highly similar to virtual machines and provide the same advantages, but which are not virtual machines ● A sensitive instruction is control sensitive according to the definition we presented before. and/or behaviour sensitive. Recently Intel has added true virtualisation support Having defined these terms, we can state the to their newest IA-32 chips by including an theorem: “A virtual machine monitor may be extension instruction set called “Virtual Machine constructed if the set of sensitive instructions for the Extensions”. We will discuss this technology as computer is a subset of the set of privileged well. instructions”. The virtual machine is constructed by letting the VMM operate in supervisor mode and the virtual machine in user mode. This way the monitor 4 How to compare can emulate sensitive instructions, since it is notified by a trap operation. Non-sensitive instructions can Before one can meaningfully compare virtual safely be executed directly. machine techniques, one has to determine which criteria to use to distinguish the methods. We will use several characteristics to do this, each of which Virtualisability of IA-32 may or may not be relevant depending on the reason The IA-32 architecture is very widely used in we use virtual machines. personal computers and servers which run Windows, Linux or, more recently, Mac OS. It evolved from Performance (and is still compatible with) the instruction set architectures used by the 8086 and it's successors One important criterion is performance. Good and is therefore also commonly known as x86. The performance is desirable for each of the applications Pentium D and Core Duo chips from Intel and we mentioned, and essential for some of them. Opteron and Athlon 64 X2 from AMD are examples From the applications we discussed, performance is of modern implementations of IA-32. most important in case virtual machines are used for IA-32 defines four security rings numbered 0 isolated server consolidation. The more efficient the through 3. Ring 0 can be considered the supervisor VMM is, the more virtual servers can be run on a mode, while the other rings correspond with the user single physical server. This means that solutions mode. The architecture defines privileged which perform better require fewer servers. instructions which, when executed in user mode, When used for debugging, a VMM which performs trap by calling an interrupt handler in ring 0. Virtual well is pleasant, but not essential. The same goes memory is implemented through segmentation and when virtual machines are applied to isolate paging. Segments are identified by 16-bit segment untrusted programs or to secure honeypots. selectors which contain the number of the least privileged ring allowed to access them. The Note that we will focus on techniques rather than on operating system's perspective of IA-32 is described their implementations. As such, our aim is not to at length in [7]. compare benchmark results. Instead we will look at the performance potentials inherent to the methods Robin and Irvine [14] have investigated the IA-32 we evaluate. architecture and have found many instructions that are sensitive, but not privileged. An example is the “PUSH CS” instruction, which pushes onto the stack Robustness the selector for the segment containing the currently Virtual machines should provide absolute isolation executing code. Since this segment selector contains and, as such, perfect security. The only means for the number of the current security ring, this communication between virtual machines should be instruction is behaviour sensitive. the virtual network connection. Unfortunately, The lack of native virtual machine support has lead perfection is hard to come by. Both the VMM and to the use of many different techniques on the IA-32 the host kernel are pieces of software and, as such, platform. The approaches we mention are applicable we can expect them to contain bugs. We will to other architectures, but we will focus on IA-32. therefore evaluate the robustness of the security in the presence of bugs. We will find that in some cases 4
  • 5. Virtual machines – the state of the art – 30 July 2006 the VMM can increase robustness, while in others VMM. the isolation entirely depends on the ability of the For honeypots the relationship with the operating kernel to isolate applications. system is not very important. Secure isolation is the core feature when virtual machines are applied to isolate untrusted programs Portability to multiple guests or to secure honeypots. It is also of utmost importance when used for server consolidation, Being able to support many different guest operating since a breach of security would mean down-time. In systems without additional effort is important when each of these cases we can expect malicious virtual machines are used for debugging attempts to break security. applications. A developer typically wants to test not only on multiple operating systems, but also on For debugging purposes we rely less on the different versions of the same operating system. The robustness of VMMs. Although crashes of the same goes for honeypots, since different versions virtual machine are possible and should not effect may have different vulnerabilities. the physical machine, we do not expect any malice. When virtual machines are used for server consolidation or running untrusted applications, it is Relationship with host operating system sufficient that one recent version of each needed A VMM can have different kinds of relationships operating system is supported. with the host operating system. It may be an unprivileged application, but it may also be require cooperation from inside the kernel. A third 5 Techniques in use possibility is that no host operating system is present. In this case one could say the VMM itself Dynamic Binary Translation acts as a minimal operating system. Dynamic binary translation can be seen as an When used for debugging purposes, it is desirable advanced way to do emulation. In case of pure that the VMM can run as an emulation, the host software application. This avoids restarting implements the instructions that and allows one to run other are available on the CPU. This applications besides the VMM allows it to interpret the Find in cache while debugging. It is preferable instructions supplied by the guest. block starting at that kernel cooperation is not instruction pointer As such, emulation is the most required, because one would obvious approach to build virtual typically want to avoid installing Found Not found machines on hardware platforms kernel-mode drivers since these that have no native support for may make the operating system Translate code them. Bochs is an example of a less stable. Another problem is until next branch program which emulates IA-32 that installing such a driver is and add to cache CPUs. normally only allowed for the root user. The same reasoning goes Unfortunately pure emulation when virtual machines are used provides very poor performance, for running untrusted applications. Execute since executing a single guest Note that need for kernel support translated block instruction typically takes many is not a problem if the feature is directly instructions on the host machine. integrated in the kernel by default. End of block This lack of efficiency means that or interrupt an emulated machine does not For servers it is preferred that the satisfy the Popek and Goldberg VMM run directly on the Handle interrupt and update definition for a virtual machine. machine, without a host operating As such, we will not consider system present. This reduces instruction pointer emulation separately. overhead and may be more stable. It does require that the server Dynamic binary translation hardware is supported by the Figure 2: Dynamic binary translation overcomes the performance 5
  • 6. Virtual machines – the state of the art – 30 July 2006 limitations of emulation by translating the have the most important impact on performance. instruction stream to host instructions which can be Benchmarks show [2] that a highly optimised binary executed natively. In this step sensitive instructions translation VMM such as VMWare Workstation can are replaced with calls to the VMM. The translated reach good speeds, but worse results should be instruction stream can be cached. Because of this, expected in branch-intensive or self-modifying code. only a small part of the time is spent on translation. The host kernel should ensure that the guest code is The main loop of a dynamic binary translation executed in a user mode ring, typically ring 3. All of VMM is shown in figure 2. this code is generated by the VMM. This provides Ung and Cifuentes [18] provide details on how one the additional guarantee that the guest cannot can implement binary translation. attempt to call the host kernel directly. This results in double protection, making it unlikely that a single Translation can be more efficient if the host has the bug in either the kernel or the VMM compromises same architecture as the guest, and many of the the isolation. As such, dynamic binary translation available dynamic binary translation VMMs only can be very robust. support running IA-32 guests on IA-32 hosts. Our examples show that binary translation VMMs Dynamic binary translation is widely used. Market can be highly portable. In principle, the guest leader VMWare created several VMMs which are operating system does not matter at all, as long as based on this technique: VMWare Workstation runs the VMM faithfully implements all hardware as an application on Windows and Linux and interfaces it requires. VMWare ESX server runs without an operating system. The architecture of the virtualisation A binary translation VMM can run either as an software is described in [20]. For the server version, unprivileged application within an operating system this software runs on a proprietary microkernel or with full control without operating system. We operating system [19]. have seen examples of both. Another example of a VMM which uses dynamic binary translation is QEMU. This program provides Paravirtualisation more insight in the implementation of this technique, The approach we described before tries to mimic the since it is open source. It's author describes the environment in which the operating system is internals in [4]. QEMU translates CPU instructions running on a real machine. For this reason it is also to C code, which is compiled using the GCC called full system virtualisation. More efficient compiler. This results in very good portability, since virtualisation may be possible if the VMM GCC has been ported to many platforms. Translation cooperates with the guest operating system. This happens in blocks ending at the next potential jump approach is called paravirtualisation. or important change in CPU state (such as changing mode of operation). These blocks are stored in a Xen is an example of a virtual machine monitor cache. Pages containing translated code are marked which uses paravirtualisation. It requires that guest write-only, and by handling the resulting protection operating systems be changed to make their kernel faults QEMU can invalidate the run in ring 1 instead of ring 0. The cache when code changes. ported kernel uses “hypercalls” to replace sensitive instructions. This Other examples of virtualisation is done by placing parameters in products which use dynamic Execute code registers and then calling an binary translation include directly interrupt handler. Xen itself runs Microsoft VirtualPC and in ring 0. The approach is shown VirtualServer, Parallels Interrupt in figure 3. Workstation and Serenity Virtual Station. Xen's creators ported Windows Handle interrupt XP, Linux and BSD to run on Xen With dynamic binary translation (may be hypercall) [3], although Windows is not much of the code is translated publicly available. Minix for Xen only once and can be executed is also available, and the natively. We therefore expect the document [9] describing the chaining of translated blocks to Figure 3: Paravirtualisation 6
  • 7. Virtual machines – the state of the art – 30 July 2006 porting process shows how a simple microkernel hypercall interface is sufficiently similar to the operating system can be ported to Xen. interface sensitive instructions provide to the CPU, Another example of paravirtualisation is User Mode We are not aware of current real-world usage of Linux. This is a modified version of the Linux previrtualisation. The University of Karlsruhe is kernel which is capable of running as a user-mode currently developing experimental VMMs which application inside Linux. apply previrtualisation. Marzipan runs without an operating system and is based on the L4Ka Pistachio Paravirtualisation can be expected to be very fast, microkernel developed at the same university. It is since all code can be executed without runtime used for research. BurnNT runs as an application on translation. The only overhead is having to use Windows XP. This program is currently in an early hypercalls instead of accessing hardware directly. stage of development, being able to start the Linux This may affect the performance slightly, but this is kernel, but not supporting user applications running unavoidable since direct hardware access is on it yet. unacceptable in a virtual machine. Previrtualisation is very similar to paravirtualisation, With paravirtualisation, code is not translated. This but some differences in characteristics can be means that we must be careful not to allow it any expected. access to the physical machine. Since all of this code runs in user mode, the only way out should be The restriction that the hypercall interface be similar calling the host kernel (at least, if the host kernel to the interface provided by the CPU may result in properly sets up permissions). This should be lower performance than paravirtualisation, where for prevented, as it might allow virtual machines more example multiple actions may be merged in a single access than they are entitled to. hypercall. Performance can therefore be expected to be slightly worse than for paravirtualisation. If direct access to the host kernel is prevented, then Because code is not translated at runtime, a the security of a paravirtualising VMM relies on the significant performance benefit over binary ability of the host operating system to securely translation can still be expected. isolate applications. If no host operating system is installed, such protection should be provided by the Portability is significantly better than for kernel included in the VMM. In both cases the paravirtualisation, since it should be possible to port robustness can be expected to be at the same level as open source guest operating systems with little the protection between applications delivered by the effort. Closed-source operating systems still require host operating system. Paravirtualisation lacks the that owner of the operating system cooperate with double security provided by binary translation. the porting effort. For the relationship with the host operating system, we have seen that a paravirtualisation VMM can run Operating system level partitioning directly on the system (like Xen) or as an We will discuss operating system level partitioning unprivileged application inside a host operating only briefly, as it is not really a virtualisation system (like User Mode Linux). technique as defined by Popek and Goldberg. It is With paravirtualisation, each guest operating system still an interesting technique because it is much more has to be ported specifically. This takes some effort light-weight than the solutions discussed before. and can only be done if the source code is available. In case of partitioning, virtualisation support is A closed-source operating system can only be used provided by the operating system. The applications if it's owner ports it. Hence portability is rather bad running on the operating system are partitioned in for paravirtualisation. several isolated groups. The implementation for system calls make sure that these groups cannot Previrtualisation interact in ways different than interaction between separate machines. This means that they do not share LeVasseur et al. [11] suggest a modified version of the same filesystem and that one who has root access paravirtualisation, which they call previrtualisation. to a single partition may not have this privilege for In this case sensitive instructions are replaced by the other partitions or the machine itself. Kamp and compiler, drastically reducing the effort needed to Watson [8] describe partitioning as implemented by perform the port. This can only be done if the 7
  • 8. Virtual machines – the state of the art – 30 July 2006 FreeBSD, where the feature is called “jails”. practice both use just in time compilation on common operating systems running on IA-32. On Solaris 10 implements this feature and names it other platforms only emulation may be available. “Zones”. Partitioning on Solaris is highly configurable, allowing partitions to share some read- Because for application virtual machines the only directories to avoid duplication of data. instruction set architecture is designed with OpenVZ and Linux V-Server are patches for the virtualisation in mind, one can expect performance Linux kernel which allow one to use partitioning on which is better than dynamic translation. Linux. An application virtual machine can be very robust. Performance for partitioning is very good. Both The instruction set architecture is normally designed applications and the kernel are executed natively and with security in mind. We also have the same kind hypercalls are not needed. The approach is very of double security that we had in case of dynamic lightweight because there is no need (and indeed, no binary translation: we know that all code passes possibility) to run multiple operating systems. through a translator, so no code goes through Overhead is limited to some extra security checks in unchecked. the implementations for system calls. Application virtual machines do not typically offer The approach is as robust as the kernel itself, since the level of isolation that normal virtual machines no separate VMM is used. do. Still the VMM is in complete control of all interaction between the application and the operating The relationship with the operating system is system and it can selectively block or alter inherently that the VMM is part of the kernel. interaction with the system, if so configured by the Portability of the partitioning solution is bad, since user. This may be even more useful than total different partitions are all running the same isolation in some situations. operating system as the host. The relationship with the operating system is inherently that of an unprivileged application. Application virtual machine An application virtual machine can only run guests Yet another virtualisation approach which is using the specially defined instruction set. This interesting despite not satisfying the Popek and means that portability is very bad. Goldberg definition is the use of application virtual It deserves mention that application virtual machines machines. such as Java have very good host portability. One An application virtual machine does not duplicate a can execute an application on different operating real machine, but instead exposes an instruction set systems and architectures without recompilation as architecture especially designed for virtualisation. long as one has the proper version of the VMM. Such an instruction set is designed for running Note, however, that for our comparison we are only applications, not operating systems. A simple VMM looking at the ease of supporting different guest is in between the guest application and the host platforms, not supporting different host platforms. operating system. This VMM typically compiles the guest instructions and the caches the result. This is Hardware supported similar to dynamic binary translation, but in this case the job is simplified by a good choice of virtual Recently Intel has introduced instruction set instruction set architecture. This allows compiling extensions which allow hardware supported virtual larger chunks of code at once and is typically called machines. This new technology is called Virtual “just in time compilation” in this context. Machine Extensions (VMX). An overview of this technology is presented by Uhlig et al [17] and Gough [5] discusses application virtual machines complete documentation can be found in [7]. and describes and compares two important examples: the Java Virtual Machine and Microsoft Intel introduces a distinction between VMX root and .NET. Both use an instruction set which is stack non-root modes. When the CPU runs in root mode, it based and inherently object oriented. The main can set up an environment for the non-root mode and difference between the two is that Java is more switch. When it runs in non-root mode, sensitive oriented towards emulation, while .NET was instructions which do not trap and interrupts will designed with just in time compilation in mind. In cause a VM exit. This saves the complete CPU state 8
  • 9. Virtual machines – the state of the art – 30 July 2006 and restores the root mode that kernel-mode support is situation. It is possible for the root needed to be able to use them. to prevent certain instructions Portability between guest from causing a VM exit for Set CPU operating systems is very good. performance reasons. to non-root mode Like for dynamic binary Both modes are just like the translation, it does not really original situation, including four matter what code executes on the security rings. In effect the new Virtual Machine. Unlike binary chips therefore have 8 different Execute code translation, porting in such a way security rings. This allows a guest directly that guests can run on a different operating system running in non- architecture is not possible. root mode to use ring 0, while the VM exit VMM stays in control. Therefore these operating systems can run 6 Results entirely without modification. Handle We have evaluated several Figure 4 shows this approach. cause of VM exit techniques which are used to Now we can consider ring 0 of the implement current VMM VMX root mode to be supervisor software. We can now link these mode, the VMX non-root mode to Figure 4: Hardware supported techniques to the applications for be user mode, and a VM exit to be which they are most suitable. a trap. We see that the VMX extensions eliminate Table 1 (next page) links possible applications to the exactly the problem that made IA-32 not satisfy the criteria we used to evaluate the different techniques. conditions for the Popek and Goldberg theorem. This table summarises chapter 4. Table 2 links Ring 1 through 3 of the VMX root mode still do not techniques to criteria, summarising chapter 5. satisfy these conditions, but they now can be avoided in the VMM. Servers AMD has announced that it will introduce similar technology called Secure Virtual Machine For servers four of the six techniques we considered Architecture. This extension is documented in [1]. are likely to be useful. To our knowledge no processors with this When the virtual servers only need a single instruction set have been released yet. operating system, and this operating system supports The performance of hardware supported partitioning, this is likely to be the most suitable virtualisation depends heavily on the implementation solution because of it's speed. In this case of the chip. It is likely that performance is better virtualisation comes for free, performance-wise. than for binary translation, but for paravirtualisation Paravirtualisation or previrtualisation can be very it is hard to tell. This depends on which is more useful for operating systems that do not support expensive: a hypercall or a VM exit. The state data partitioning. It is also useful if one wants to run which needs to be updated on a VM exit is stored in multiple guest operating systems. The speed a 4096-byte block of data, so more memory needs to provided is still very good. We currently do not be updated than for a hypercall. It is not unthinkable, know any real-world IA-32 implementations of however, that the implementation highly optimises previrtualisation. When these are available, this specific case. benchmarks would be needed to determine if A VMM which uses the hardware solution is likely paravirtualisation really does provide a speed to be very simple, and as such likely to be robust. advantage over previrtualisation. If it does not, Security would only be compromised if a bug causes previrtualisation is preferred since it allows easier guest code to execute in root mode. Such a severe porting for new versions of operating systems. bug should be relatively unlikely in a simple, well- In some cases the previously described solutions tested VMM. As such, we consider hardware cannot be applied. One example is if one needs to virtualisation to be very robust. run a virtual Windows server. This operating system VMX instructions trap outside of ring 0. This means does not support partitioning and a paravirtualised or 9
  • 10. Virtual machines – the state of the art – 30 July 2006 Cooperation Performance Robustness Portability with host OS Server Important Important No OS Preferred Debugging Preferred Preferred Application Important Untrusted applications Preferred Important Application Preferred Honeypot Preferred Important Any Important Table 1: Applications linked with criteria Cooperation Performance Robustness Portability with host OS Binary translation Moderate Extra Any Very good Paravirtualisation Very good Like OS Any Bad Previrtualisation Good Like OS Any Moderate OS-level partitioning Very good Like OS Kernel Bad Application VM Good Extra Application Bad Hardware supported Depends Extra Kernel / no OS Good Table 2: Techniques linked with criteria previrtualised version is not publicly available. In choice. They allow people to run these applications this case hardware supported virtualisation is likely without fearing they will corrupt their system. This to be the best choice. requires users to have the runtime for the application virtual machine installed. This is typically more If hardware supported virtualisation is turns out to likely than people having complete VMMs installed. be sufficiently fast, then it might be the best solution Application virtual machines are typically easier to in many cases. This is because the robustness is use than full system virtual machines, since to the likely to be higher than for the other cases. user they appear no different than native applications. Software development Note that using application virtual machines to For debugging, binary translation and hardware protect the computer requires that the environment supported virtualisation are preferred because of be set up to sufficiently protect the computer against their portability. the guest application. If the host operating system makes hardware virtualisation available to applications, then Honeypots hardware supported virtualisation would probably be For honeypots, binary translation and hardware the best choice. It is likely to be faster than binary supported virtualisation are both good choices. Both translation. If it is not available, binary translation is of these are secure and portable. preferred, because it can be used from unprivileged applications. If one wishes to test guests which use multiple architectures, then dynamic binary translation would be more useful than hardware supported Untrusted applications virtualisation. When using untrusted applications, each of the technologies we mentioned can be used. Ease of use is probably the most important consideration here. 7 Conclusion For partitioning or hardware support this makes it Originally the IA-32 architecture was designed desirable that the functionality is part of the kernel without virtualisation in mind. Currently, many by default, rather than having to recompile the different approaches are used to circumvent this kernel or ask a root user to install kernel-mode problem. Recently native support for virtual drivers. machines has been added to this architecture. For one distributing applications that people may not However, the techniques previously used are still trust, application virtual machines can be a good being actively developed. Currently even new 10
  • 11. Virtual machines – the state of the art – 30 July 2006 techniques, such as previrtualisation, are being [10] N. Kiyanclar. A Survey of Virtualization Techniques researched and look promising. Focusing on Secure On-Demand Cluster Computing, ACM Computing Research Repository, Technical We found that the new hardware support is likely to Report cs.OS/0511010, November 2, 2005 be very useful, but that it may not replace other http://www.projects.ncassr.org/cluster- techniques completely. Each of the techniques we sec/papers/kiyanclarCorr05-virtualization.pdf discussed has advantages for specific areas of [11] J. LeVasseur, V. Uhlig, M. Chapma, P. Chubb, B. application. Therefore, selecting the proper approach Leslie and G. Heiser. Pre-Virtualization: Slashing can be hard as many factors should be considered. the Cost of Virtualization, Technical Report PA005520, National ICT Australia, October 2005, http://nicta.com.au/uploads/documents/PA005520_ 8 References NICTA1.pdf [1] AMD, AMD64 Architecture Programmer’s Manual [12] S. Nanda and T. Chiueh. A Survey on Virtualization Technologies, Technical report TR-179, Department Volume 2: System Programming, Publication 24593, Revision 3.11, December 2005, of Computer Science, State University of New York, February 2005, http://www.amd.com/us- en/assets/content_type/white_papers_and_tech_docs http://www.ecsl.cs.sunysb.edu/tr/TR179.pdf /24593.pdf [13] G. J. Popek and R. P. Goldberg. Formal [2] A. Baratz. Virtual machine shootout: VMware vs. Requirements for Virtualizable Third Generation Architectures, Communications of the ACM, ACM Virtual PC, Ars Technica, August 8, 2004, http://arstechnica.com/reviews/apps/vm.ars Press, New York, NY, USA, Volume 17, Issue 7, July 1974, pp. 412-421 [3] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauery, I. Pratt and A. [14] J. S. Robin and C. E. Irvine. Analysis of the Intel Pentium's ability to support a secure virtual machine Warfield. Xen and the Art of Virtualization, Proceedings of the nineteenth ACM symposium on monitor, Proceedings of the 9th USENIX Security Symposium, August 2000, pp. 129-144 Operating systems principles, ACM Press, New York, NY, USA, 2003, pp. 164-177 [15] R. Rose, Survey of System Virtualization Techniques, March 8, 2004, [4] Fabrice Bellard. QEMU, A Fast and Portable Dynamic Translator, Proceedings of the USENIX http://www.robertwrose.com/vita/rose- virtualization.pdf 2005 Annual Technical Conference, FREENIX Track, April 2005, pp. 41-46 [16] J. E. Smith and R. Nair. The architecture of virtual machines, Computer, IEEE Computer Society Press, [5] K. J. Gough. Stacking them up: a comparison of virtual machines, Proceedings of the 6th Los Alamitos, CA, USA, Volume 38, Issue 5, May 2005, pp. 32-38 Australasian conference on Computer systems architecture, IEEE Computer Society, Washington, [17] R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. DC, USA, 2001, pp. 55-61 C. M. Martins, A. V. Anderson, S. M. Bennett, A. [6] Intel Corporation. IA-32 Intel Architecture Software Kagi, F. H. Leung and L. Smith. Intel Virtualization Technology, Computer, IEEE Computer Society Developer's Manual, Volume 3A: System Programming Guide, Order number 253668-019, Press, Los Alamitos, CA, USA, Volume 38, Issue 5, May 2005, pp. 48-56 March 2006, ftp://download.intel.com/design/Pentium4/manuals/ [18] D. Ung and C. Cifuentes. Machine-adaptable 25366819.pdf dynamic binary translation, ACM SIGPLAN Notices [7] Intel Corporation. Intel Virtualization Technology archive, ACM Press New York, NY, USA, Volume 35, Issue 7, July 2000, pp. 41-51 Specification for the IA-32 Intel Architecture, C97063-002, April 2005, [19] VMWare Inc. ESX Server 2 Security White Paper, ftp://download.intel.com/design/Pentium4/manuals/ 2004, 25366819.pdf http://www.vmware.com/pdf/esx2_security.pdf [8] P. H. Kamp and R. N. M. Watson. Jails: Confining [20] VMWare Inc. Virtualization Architectural the omnipotent root, Proceedings of the 2nd Considerations and other evaluation criteria, 2005, International System Administration and http://www.vmware.com/pdf/virtualization_consider Networking Conference, 2000, ations.pdf http://www.nluug.nl/events/sane2000/papers/kamp.p [21] Wikipedia contributors. Comparison of virtual df machines, Wikipedia, The Free Encyclopedia, June [9] I. Kelly. Porting MINIX to Xen, May 8, 2006, 24, 2006, http://choices.cs.uiuc.edu/cache/Report.pdf http://en.wikipedia.org/w/index.php?title=Comparis 11
  • 12. Virtual machines – the state of the art – 30 July 2006 on_of_virtual_machines&oldid=60326520 9 Products mentioned Bochs http://bochs.sourceforge.net/ BurnNT http://l4ka.org/projects/virtualizatio n/burnnt/ FreeBSD http://www.freebsd.org/ Java http://java.sun.com/ Linux V-Server http://linux-vserver.org/ Marzipan http://l4ka.org/projects/virtualizatio n/resourcemon/ Microsoft .NEThttp://www.microsoft.com/net/ Microsoft http://www.microsoft.com/Wind VirtualPC ows/virtualpc/ Microsoft http://www.microsoft.com/windows Virtual Server serversystem/virtualserver/ OpenVZ http://openvz.org/ Parallels http://www.parallels.com/en/pro Workstation ducts/workstation/ Qemu http://fabrice.bellard.free.fr/qemu / Serenity Virtual http://www.serenityvirtual.com/ Station Solaris Zones http://www.opensolaris.org/os/co mmunity/zones/ User Mode http://user-mode- Linux linux.sourceforge.net/ VMWare ESX http://www.vmware.com/products/v Server i/esx/ VMWare http://www.vmware.com/product Workstation s/ws/ Xen http://www.xensource.com/ 12