Downloaded 57 times
![大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Defination
What is Virtualization ?
To virtualize means to take something of one form and make
it appear to be another form.[1]
To make a computer appear to be multiple computers or a
different computer entirely.
To making many computers appear to be a single computer.
(Server Aggregation/Grid Computing)
我们这里讨论的虚拟化指的是前者。
不过目前的趋势是合二为一,即将一些分离的计算资源抽象成统
一的资源库, 然后再由 Virtual Machine Infrastructure 统一
调度,分配给多个虚拟的机器。
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization](https://image.slidesharecdn.com/vmintroslidesv0-2-090915034854-phpapp02/75/A-Brief-Overview-of-Virtualization-4-2048.jpg)
![大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
Abstraction
计算机系统的三层 Interface [2]
ISA Instruction
Set Architec-
ture.
ABI Application
Binary Inter-
face.
API Application
Programming
Interface.
Figure: Computer system architecture
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization](https://image.slidesharecdn.com/vmintroslidesv0-2-090915034854-phpapp02/75/A-Brief-Overview-of-Virtualization-7-2048.jpg)
![大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research
...... ....... .......
参考文献
[1] M. Tim Jones
Virtual Linux –An overview of virtualization methods, architectures, and
implementations [EB/OL].
IBM DeveloperWorks.
http://www.ibm.com/developerworks/library/l-linuxvirt/ .
[2] James E.Smith and Ravi Nair
The Architecture of Virtual Machines [J]
Computer, May 2005 IEEE.
[3] Mendel Rosenblum and Tal Garfinkel
Virtual Machine Monitors: Current Technology and Future Trends [J].
Computer, May 2005 IEEE.
[4] Fabrice Bellard
QEMU, a Fast and Portable Dynamic Translator.
2005 USENIX Annual Technical Conference.
. . . . . .
陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组
A Brief Overview of Virtualization](https://image.slidesharecdn.com/vmintroslidesv0-2-090915034854-phpapp02/75/A-Brief-Overview-of-Virtualization-37-2048.jpg)
Uploaded byZ Chen
A Brief Overview of Virtualization
The document provides an overview of virtualization technology, including definitions of virtualization, classifications of virtualization techniques, and discussions of process VMs, system VMs, and virtual machine monitor implementation issues and security research. It defines virtualization as making one computer system appear to be another system and discusses how virtualization provides abstraction through defined interfaces between layers.
A Brief Overview of Virtualization
- 1. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... A Brief Overview of Virtualization 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 April 14, 2008 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 2. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 3. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 4. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Defination What is Virtualization ? To virtualize means to take something of one form and make it appear to be another form.[1] To make a computer appear to be multiple computers or a different computer entirely. To making many computers appear to be a single computer. (Server Aggregation/Grid Computing) 我们这里讨论的虚拟化指的是前者。 不过目前的趋势是合二为一,即将一些分离的计算资源抽象成统 一的资源库, 然后再由 Virtual Machine Infrastructure 统一 调度,分配给多个虚拟的机器。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 5. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Defination 虚拟化转化的是”form”,这里的form指的就是不同的接口(Inter- face),所以,我们要先从Interface谈起。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 6. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction 抽象(Abstraction) 在计算机结构日益复杂的今天,我们之所以能够有条不紊地继续发展 计算机理论和结构,正是由于存在不同层次的抽象,每层 Abstraction 都会定义一定的接口(Interface),以隐藏具体实现以降低复杂性。 两个名词: Architecture : A formal specification of an interface in the system. Implementation : The actual embodiment of an architec- ture. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 7. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction 计算机系统的三层 Interface [2] ISA Instruction Set Architec- ture. ABI Application Binary Inter- face. API Application Programming Interface. Figure: Computer system architecture . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 8. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction Interface vs. Virtualization Abstraction优点:统一的编程(软件、硬件)格式。 缺点: 移植性 Virtualization : 从一种Abstraction转化到另外一种Abstrac- tion。 Component Virtualization System Virtualization 可以依照虚拟机技术所虚拟的层次(ISA、ABI或API)来对虚拟机分 类. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 9. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction Three Levels of Interface ISA Instruction Set Architecture. The ISA marks the division be- tween hardware and software, and consists of interfaces 3 and 4. Interface 4 represents the user ISA and includes those aspects visible to an applica- tion program. Interface 3, the system ISA, is a superset of the Figure: Computer system user ISA and includes those as- architecture pects visible only to operating system software responsible for managing hardware resources. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 10. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction Three Levels of Interface ABI Application Binary Interface. The ABI gives a program access to the hardware resources and services available in a sys- tem through the user ISA (in- terface 4) and the system call interface (interface 2). The ABI does not include system in- structions; rather, all appli- Figure: Computer system cation programs interact with architecture the hardware resources indi- rectly by invoking the operat- ing system’s services via the system call interface. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 11. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Abstraction Three Levels of Interface API Application Programming Inter- face. The API gives a program access to the hardware resources and services available in a sys- tem through the user ISA (in- terface 4) supplemented with high-level language (HLL) li- brary calls (interface 1). Any Figure: Computer system system calls are usually per- architecture formed through libraries. Us- ing an API enables application software to be ported easily, through recompilation, to other systems that support the same . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn API. 蜜网项目组 A Brief Overview of Virtualization
- 12. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 13. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... What is a Virtual Machine The meaning of “machine”: From the process’s perspective : A logical memory address space. User-level instructions and registers. I/O (only visible through the operating system calls). Thus the ABI defines the machine as seen by a process. Similarly, the API specifies the machine characteristics as seen by an application’s HLL program. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 14. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... What is a Virtual Machine From the operating system’s perspective : the underlying hardware’s characteristics alone define the machine So it is the ISA that provides the interface between the system and machine. So there are process VMs and system VMs. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 15. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Process VMs and System VMs A process VM is a virtual platform that executes an in- dividual process. This type of VM exists solely to support the process; it is created when the process is created and terminates when the process terminates. The virtualizing software that implements a process VM is often termed the runtime, short for “runtime software.” A system VM provides a complete, persistent system en- vironment that supports an operating system along with its many user processes. It provides the guest operating system with access to virtual hardware resources, including net- working, I/O, and perhaps a graphical user interface along with a processor and memory. The virtualizing software in a system VM is typically referred to as the virtual machine monitor (VMM). . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 16. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 17. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Process Virtual Machines Multiprogrammed systems :The most common process VM. Emulators and dynamic binary translators More challeng- ing problem for process-level VMs is that of supporting program binaries compiled to an instruction set different from the one the host executes. eg: Intel IA32-EL which allows Intel IA-32 application binaries to run on Itanium hardware. Same-ISA binary optimizers Dynamo system. High-level-language VMs The Sun Microsystems Java VM architecture and the Microsoft Common Language Infrastruc- ture. 注:HLL environment 仅指需要runtime的语言。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 18. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 19. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... System VM history System VM History 可以追溯到20世纪70年代IBM大型机。在经过一个低谷之后,又在以 VMware为代表 的运行在小型或者微型计算机上的新一代虚拟机的带领 下重新崛起。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 20. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Classic System VMs Classic System VMs The classic approach places the VMM on bare hardware and the VMs fit on top. The VMM runs in the most highly privileged mode, while all guest systems run with reduced privileges so that the VMM can intercept and emulate all guest operating system actions that would normally access or manipulate critical hardware resources. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 21. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Hosted VM Hosted VMs An alternative system VM implementation builds virtualiz- ing software on top of an existing host operating system, resulting in a hosted VM. Advantage: A user installs it just like a typical application program. Virtualizing software can rely on the host operating system to provide device drivers and other lower-level services rather than on the VMM.Virtualizing software can rely on the host operating system to provide device drivers and other lower-level services rather than on the VMM. Example: VMware GSX server VMware GSX Server将一台实体的电脑变成许多的虚拟服务器,这 些虚拟 服务器其实是由单一的硬件所架构成的,系统资源依据每 一台虚拟机器的 需求,分配到所有的虚拟机器。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 22. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Whole System VM Whole System VMs The VM software executes as an application program sup- ported by the host operating system and uses no system ISA operations. An example of this type of VM is the Virtual PC (and VMware Workstation?). . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 23. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Multiprocessor virtualization Multiprocessor virtualization Here, an important objective is to partition the large sys- tem into multiple smaller multiprocessor systems by dis- tributing the underlying hardware resources of the large system. 物理上或者是时间上划分成多个独立的。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 24. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Codesigned VM Codesigned VMs Codesigned VMs implement new, proprietary ISAs targeted at improving performance, power efficiency, or both. Perhaps the best-known example of a codesigned VM is the Transmeta Crusoe.11 In this processor, the underlying hard- ware uses a very-long instruction word architecture, and the guest ISA is the Intel IA-32. The Transmeta design- ers focused on the power-saving advantages of simpler VLIW hardware. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 25. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Codesigned VM Partial Summary Figure: The Vitual Machine Category . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 26. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 27. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... CPU virtualization CPU Virtualization ĎĎĎĎĎDirect execution Executing the virtual machine on the real machine, while letting the VMM retain ultimate control of the CPU. A CPU architecture is virtualizable only if it supports the basic VMM technique of direct execution. Requires running the virtual machine’s privileged (operating- system kernel) and unprivileged code in the CPU’s unpriv- ileged mode, while the VMM runs in privileged mode.Thus, when the virtual machine attempts to perform a privileged operation, the CPU traps into the VMM. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 28. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... CPU virtualization 遇到的问题一 对于x86架构:”Certain privileged-mode instructions do not trap, and can return different results based upon the mode.” 如:An instruction that disables interrupts Letting a guest operating system disable interrupts would not be safe since the VMM could not regain control of the CPU.Instead, the VMM would trap the operation to disable interrupts and then record that interrupts were disabled for that virtual machine. 具体来说,如 POPF 指令。 . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 29. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... CPU virtualization 遇到的问题之二 Unprivileged instructions let the CPU access privileged state. 这样由于是虚拟的缘故(GuestOS运行在用户态),会得到“错 误”的 当前运行级的信息。 Software running in the virtual machine can read the code segment register to determine the processor’s current privilege level. But the x86 doesn’t trap the instruc- tion, so with direct execution, the software would see the wrong privilege level in the code segment register. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 30. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... CPU virtualization 解决方案 Paravirtualization With paravirtualization, the VMM builder defines the vir- tual machine interface by replacing nonvirtualizable por- tions of the original instruction set with easily virtual- ized and more efficient equivalents. 缺点: Operating systems must be ported to run in a virtual machine. Direct execution + Fast binary translation (Vmware、QEMU) 对 User Mode 的程序 direct execution , 对 kernel mode 的代 码“打补 丁”. Intel Vanderpool technology and AMD Pacifica technology. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 31. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Memory virtualization Memory Virtualization 主要技术: Maintain a shadow of the virtual machine’s memory-management data structure. When the operating system running in a virtual machine establishes a mapping in its page table, the VMM detects the changes and establishes a mapping in the corresponding shadow page table entry that points to the actual page location in the hardware memory. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 32. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Memory virtualization 问题和解决方案 cache 的交换和内存空间回收的选择问题。 VMware ESX solution:: a balloon process running inside the GuestOS can communicate with the VMM. 多个虚拟机之间存在重复的内存数据区。 VMware solution: Content-based page sharing . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 33. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... I/O virtualization I/O virtualization 古老的IBM大型机的做法:A channel-based architecture.(不懂) VMware Workstation 的做法:Hosted architecture(Using the device drivers of a host operating system (HostOS)) ESX Server solution: A highly optimized I/O subsystem for network and storage devices.(实际上是使用的Linux Kernel的 I/O部分) . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 34. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 大纲 1 What is Virtualization 2 虚拟化技术分类 3 Process VMs 4 System VMs 5 VMM implementation issues 6 Security research . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 35. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Security research Livewire: a system that uses a VMM for advanced intrusion detection on the software in the virtual machines. ReVirt: uses the VMM layer to analyze the damage hackers might have caused during the break-in. Argos: Dynamic Dataflow Analyze. etc. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 36. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... Virtualization in the future 开头提到的 Virtual Center. Migrating software as data. Security. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 37. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 参考文献 [1] M. Tim Jones Virtual Linux –An overview of virtualization methods, architectures, and implementations [EB/OL]. IBM DeveloperWorks. http://www.ibm.com/developerworks/library/l-linuxvirt/ . [2] James E.Smith and Ravi Nair The Architecture of Virtual Machines [J] Computer, May 2005 IEEE. [3] Mendel Rosenblum and Tal Garfinkel Virtual Machine Monitors: Current Technology and Future Trends [J]. Computer, May 2005 IEEE. [4] Fabrice Bellard QEMU, a Fast and Portable Dynamic Translator. 2005 USENIX Annual Technical Conference. . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization
- 38. 大纲 What is Virtualization 虚拟化技术分类 Process VMs System VMs VMM implementation issues Security research ...... ....... ....... 谢谢大家! . . . . . . 陈志杰 chenzhijie@icst.pku.edu.cn 蜜网项目组 A Brief Overview of Virtualization