IAC 2024 - IA Fast Track to Search Focused AI Solutions
A Brief Overview of Virtualization
1. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
A Brief Overview of Virtualization
陈志杰
chenzhijie@icst.pku.edu.cn
蜜网项目组
April 14, 2008
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
2. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
3. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
4. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Defination
What is Virtualization ?
To virtualize means to take something of one form and make
it appear to be another form.[1]
To make a computer appear to be multiple computers or a
different computer entirely.
To making many computers appear to be a single computer.
(Server Aggregation/Grid Computing)
我们这里讨论的虚拟化指的是前者。
不过目前的趋势是合二为一,即将一些分离的计算资源抽象成统
一的资源库, 然后再由 Virtual Machine Infrastructure 统一
调度,分配给多个虚拟的机器。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
5. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Defination
虚拟化转化的是”form”,这里的form指的就是不同的接口(Inter-
face),所以,我们要先从Interface谈起。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
6. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
抽象(Abstraction)
在计算机结构日益复杂的今天,我们之所以能够有条不紊地继续发展
计算机理论和结构,正是由于存在不同层次的抽象,每层 Abstraction
都会定义一定的接口(Interface),以隐藏具体实现以降低复杂性。
两个名词:
Architecture : A formal specification of an interface in
the system.
Implementation : The actual embodiment of an architec-
ture.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
7. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
计算机系统的三层 Interface [2]
ISA Instruction
Set Architec-
ture.
ABI Application
Binary Inter-
face.
API Application
Programming
Interface.
Figure: Computer system architecture
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
8. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
Interface vs. Virtualization
Abstraction优点:统一的编程(软件、硬件)格式。
缺点: 移植性
Virtualization : 从一种Abstraction转化到另外一种Abstrac-
tion。
Component Virtualization
System Virtualization
可以依照虚拟机技术所虚拟的层次(ISA、ABI或API)来对虚拟机分
类.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
9. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
Three Levels of Interface
ISA Instruction Set Architecture.
The ISA marks the division be-
tween hardware and software,
and consists of interfaces 3
and 4. Interface 4 represents
the user ISA and includes those
aspects visible to an applica-
tion program. Interface 3, the
system ISA, is a superset of the
Figure: Computer system user ISA and includes those as-
architecture
pects visible only to operating
system software responsible for
managing hardware resources.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
10. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
Three Levels of Interface
ABI Application Binary Interface.
The ABI gives a program access
to the hardware resources and
services available in a sys-
tem through the user ISA (in-
terface 4) and the system call
interface (interface 2). The
ABI does not include system in-
structions; rather, all appli-
Figure: Computer system cation programs interact with
architecture
the hardware resources indi-
rectly by invoking the operat-
ing system’s services via the
system call interface.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
11. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
Three Levels of Interface
API Application Programming Inter-
face.
The API gives a program access
to the hardware resources and
services available in a sys-
tem through the user ISA (in-
terface 4) supplemented with
high-level language (HLL) li-
brary calls (interface 1). Any
Figure: Computer system system calls are usually per-
architecture
formed through libraries. Us-
ing an API enables application
software to be ported easily,
through recompilation, to other
systems that support the same
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn API. 蜜网项目组
A Brief Overview of Virtualization
12. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
13. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
What is a Virtual Machine
The meaning of “machine”:
From the process’s perspective :
A logical memory address space.
User-level instructions and registers.
I/O (only visible through the operating system calls).
Thus the ABI defines the machine as seen by a process.
Similarly, the API specifies the machine characteristics
as seen by an application’s HLL program.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
14. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
What is a Virtual Machine
From the operating system’s perspective :
the underlying hardware’s characteristics alone define the
machine
So it is the ISA that provides the interface between the
system and machine.
So there are process VMs and system VMs.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
15. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Process VMs and System VMs
A process VM is a virtual platform that executes an in-
dividual process. This type of VM exists solely to support
the process; it is created when the process is created and
terminates when the process terminates. The virtualizing
software that implements a process VM is often termed the
runtime, short for “runtime software.”
A system VM provides a complete, persistent system en-
vironment that supports an operating system along with its
many user processes. It provides the guest operating system
with access to virtual hardware resources, including net-
working, I/O, and perhaps a graphical user interface along
with a processor and memory. The virtualizing software in
a system VM is typically referred to as the virtual machine
monitor (VMM).
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
16. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
17. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Process Virtual Machines
Multiprogrammed systems :The most common process VM.
Emulators and dynamic binary translators More challeng-
ing problem for process-level VMs is that of supporting
program binaries compiled to an instruction set different
from the one the host executes. eg: Intel IA32-EL which
allows Intel IA-32 application binaries to run on Itanium
hardware.
Same-ISA binary optimizers Dynamo system.
High-level-language VMs The Sun Microsystems Java VM
architecture and the Microsoft Common Language Infrastruc-
ture.
注:HLL environment 仅指需要runtime的语言。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
18. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
19. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
System VM history
System VM History
可以追溯到20世纪70年代IBM大型机。在经过一个低谷之后,又在以
VMware为代表 的运行在小型或者微型计算机上的新一代虚拟机的带领
下重新崛起。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
20. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Classic System VMs
Classic System VMs
The classic approach places the VMM on bare hardware and
the VMs fit on top.
The VMM runs in the most highly privileged mode, while
all guest systems run with reduced privileges so that the
VMM can intercept and emulate all guest operating system
actions that would normally access or manipulate critical
hardware resources.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
21. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Hosted VM
Hosted VMs
An alternative system VM implementation builds virtualiz-
ing software on top of an existing host operating system,
resulting in a hosted VM.
Advantage:
A user installs it just like a typical application program.
Virtualizing software can rely on the host operating system
to provide device drivers and other lower-level services
rather than on the VMM.Virtualizing software can rely on the
host operating system to provide device drivers and other
lower-level services rather than on the VMM.
Example:
VMware GSX server
VMware GSX Server将一台实体的电脑变成许多的虚拟服务器,这
些虚拟 服务器其实是由单一的硬件所架构成的,系统资源依据每
一台虚拟机器的 需求,分配到所有的虚拟机器。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
22. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Whole System VM
Whole System VMs
The VM software executes as an application program sup-
ported by the host operating system and uses no system ISA
operations.
An example of this type of VM is the Virtual PC (and VMware
Workstation?).
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
23. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Multiprocessor virtualization
Multiprocessor virtualization
Here, an important objective is to partition the large sys-
tem into multiple smaller multiprocessor systems by dis-
tributing the underlying hardware resources of the large
system.
物理上或者是时间上划分成多个独立的。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
24. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Codesigned VM
Codesigned VMs
Codesigned VMs implement new, proprietary ISAs targeted at
improving performance, power efficiency, or both.
Perhaps the best-known example of a codesigned VM is the
Transmeta Crusoe.11 In this processor, the underlying hard-
ware uses a very-long instruction word architecture, and
the guest ISA is the Intel IA-32. The Transmeta design-
ers focused on the power-saving advantages of simpler VLIW
hardware.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
25. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Codesigned VM
Partial Summary
Figure: The Vitual Machine Category
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
26. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
27. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
CPU virtualization
CPU Virtualization
ĎĎĎĎĎDirect execution
Executing the virtual machine on the real machine, while
letting the VMM retain ultimate control of the CPU.
A CPU architecture is virtualizable only if it supports the
basic VMM technique of direct execution.
Requires running the virtual machine’s privileged (operating-
system kernel) and unprivileged code in the CPU’s unpriv-
ileged mode, while the VMM runs in privileged mode.Thus,
when the virtual machine attempts to perform a privileged
operation, the CPU traps into the VMM.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
28. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
CPU virtualization
遇到的问题一
对于x86架构:”Certain privileged-mode instructions do not
trap, and can return different results based upon the
mode.”
如:An instruction that disables interrupts
Letting a guest operating system disable interrupts would
not be safe since the VMM could not regain control of the
CPU.Instead, the VMM would trap the operation to disable
interrupts and then record that interrupts were disabled
for that virtual machine.
具体来说,如 POPF 指令。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
29. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
CPU virtualization
遇到的问题之二
Unprivileged instructions let the CPU access privileged
state.
这样由于是虚拟的缘故(GuestOS运行在用户态),会得到“错
误”的 当前运行级的信息。
Software running in the virtual machine can read the code
segment register to determine the processor’s current
privilege level. But the x86 doesn’t trap the instruc-
tion, so with direct execution, the software would see the
wrong privilege level in the code segment register.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
30. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
CPU virtualization
解决方案
Paravirtualization
With paravirtualization, the VMM builder defines the vir-
tual machine interface by replacing nonvirtualizable por-
tions of the original instruction set with easily virtual-
ized and more efficient equivalents.
缺点: Operating systems must be ported to run in a virtual
machine.
Direct execution + Fast binary translation (Vmware、QEMU)
对 User Mode 的程序 direct execution , 对 kernel mode 的代
码“打补 丁”.
Intel Vanderpool technology and AMD Pacifica technology.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
31. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Memory virtualization
Memory Virtualization
主要技术:
Maintain a shadow of the virtual machine’s memory-management
data structure.
When the operating system running in a virtual machine
establishes a mapping in its page table, the VMM detects
the changes and establishes a mapping in the corresponding
shadow page table entry that points to the actual page
location in the hardware memory.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
32. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Memory virtualization
问题和解决方案
cache 的交换和内存空间回收的选择问题。
VMware ESX solution:: a balloon process running inside the
GuestOS can communicate with the VMM.
多个虚拟机之间存在重复的内存数据区。
VMware solution: Content-based page sharing
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
33. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
I/O virtualization
I/O virtualization
古老的IBM大型机的做法:A channel-based architecture.(不懂)
VMware Workstation 的做法:Hosted architecture(Using the
device drivers of a host operating system (HostOS))
ESX Server solution: A highly optimized I/O subsystem for
network and storage devices.(实际上是使用的Linux Kernel的
I/O部分)
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
34. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
大纲
1 What is Virtualization
2 虚拟化技术分类
3 Process VMs
4 System VMs
5 VMM implementation issues
6 Security research
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
35. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Security research
Livewire: a system that uses a VMM for advanced intrusion
detection on the software in the virtual machines.
ReVirt: uses the VMM layer to analyze the damage hackers
might have caused during the break-in.
Argos: Dynamic Dataflow Analyze.
etc.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
36. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Virtualization in the future
开头提到的 Virtual Center.
Migrating software as data.
Security.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
37. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
参考文献
[1] M. Tim Jones
Virtual Linux –An overview of virtualization methods, architectures, and
implementations [EB/OL].
IBM DeveloperWorks.
http://www.ibm.com/developerworks/library/l-linuxvirt/ .
[2] James E.Smith and Ravi Nair
The Architecture of Virtual Machines [J]
Computer, May 2005 IEEE.
[3] Mendel Rosenblum and Tal Garfinkel
Virtual Machine Monitors: Current Technology and Future Trends [J].
Computer, May 2005 IEEE.
[4] Fabrice Bellard
QEMU, a Fast and Portable Dynamic Translator.
2005 USENIX Annual Technical Conference.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization
38. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
谢谢大家!
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization