This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
• Overview and Introduction to Virtualisation
• Security Risks in Virtualised Environments
• Controls in Virtualised Environments
• Summary and Conclusions
Learn about the IBM SmartCloud Desktop Infrastructure.The SmartCloud Desktop Infrastructure solution with VMware View running on IBM Flex System simplifies IT manageability and control. It delivers high fidelity user experiences across devices and networks. The features of VMware View that are included in the SmartCloud Desktop Infrastructure solution provide enhanced security, high availability, centralized management and control, and scalability. For more information on Pure Systems, visit http://ibm.co/18vDnp6.
Visit the official Scribd Channel of IBM India Smarter Computing at http://bit.ly/VwO86R to get access to more documents.
This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
• Overview and Introduction to Virtualisation
• Security Risks in Virtualised Environments
• Controls in Virtualised Environments
• Summary and Conclusions
Learn about the IBM SmartCloud Desktop Infrastructure.The SmartCloud Desktop Infrastructure solution with VMware View running on IBM Flex System simplifies IT manageability and control. It delivers high fidelity user experiences across devices and networks. The features of VMware View that are included in the SmartCloud Desktop Infrastructure solution provide enhanced security, high availability, centralized management and control, and scalability. For more information on Pure Systems, visit http://ibm.co/18vDnp6.
Visit the official Scribd Channel of IBM India Smarter Computing at http://bit.ly/VwO86R to get access to more documents.
Disco: Running Commodity Operating Systems on Scalable Multiprocessors DiscoMagnus Backman
Disco: Running Commodity Operating Systems on Scalable Multiprocessors
VMware started as a grad school project out of Stansford university.
Many servers were under utilized so Project Disco was born.
Yes, VMware was originally called Project Disco.
In fact both GOOGLE and Project Disco started out together as grad projects.
Chapter 5 – Cloud Resource
Virtualization
Contents
Virtualization.
Layering and virtualization.
Virtual machine monitor.
Virtual machine.
Performance and security isolation.
Architectural support for virtualization.
x86 support for virtualization.
Full and paravirtualization.
Xen 1.0 and Xen 2.0.
Performance comparison of virtual machine monitors.
The darker side of virtualization.
Software fault isolation.
Cloud Computing: Theory and Practice. Chapter 5 2 Dan C. Marinescu
Motivation
There are many physical realizations of the fundamental
abstractions necessary to describe the operation of a computing
systems.
Interpreters.
Memory.
Communications links.
Virtualization is a basic tenet of cloud computing, it simplifies the
management of physical resources for the three abstractions.
The state of a virtual machine (VM) running under a virtual machine
monitor (VMM) can de saved and migrated to another server to
balance the load.
Virtualization allows users to operate in environments they are
familiar with, rather than forcing them to idiosyncratic ones.
Cloud Computing: Theory and Practice.
Chapter 5 3 Dan C. Marinescu
Motivation (cont’d)
Cloud resource virtualization is important for:
System security, as it allows isolation of services running on
the same hardware.
Performance and reliability, as it allows applications to migrate
from one platform to another.
The development and management of services offered by a
provider.
Performance isolation.
Cloud Computing: Theory and Practice.
Chapter 5 4 Dan C. Marinescu
Virtualization
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example - a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example - a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example - a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples - virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Cloud Computing: Theory and Practice.
Chapter 5 5 Dan C. Marinescu
Layering
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
Layering in a computer system.
Hardware.
Software.
Operating system.
Libraries.
Applications.
.
Chapter 5 – Cloud Resource
Virtualization
Contents
Virtualization.
Layering and virtualization.
Virtual machine monitor.
Virtual machine.
Performance and security isolation.
Architectural support for virtualization.
x86 support for virtualization.
Full and paravirtualization.
Xen 1.0 and Xen 2.0.
Performance comparison of virtual machine monitors.
The darker side of virtualization.
Software fault isolation.
Cloud Computing: Theory and Practice. Chapter 5 2 Dan C. Marinescu
Motivation
There are many physical realizations of the fundamental
abstractions necessary to describe the operation of a computing
systems.
Interpreters.
Memory.
Communications links.
Virtualization is a basic tenet of cloud computing, it simplifies the
management of physical resources for the three abstractions.
The state of a virtual machine (VM) running under a virtual machine
monitor (VMM) can de saved and migrated to another server to
balance the load.
Virtualization allows users to operate in environments they are
familiar with, rather than forcing them to idiosyncratic ones.
Cloud Computing: Theory and Practice.
Chapter 5 3 Dan C. Marinescu
Motivation (cont’d)
Cloud resource virtualization is important for:
System security, as it allows isolation of services running on
the same hardware.
Performance and reliability, as it allows applications to migrate
from one platform to another.
The development and management of services offered by a
provider.
Performance isolation.
Cloud Computing: Theory and Practice.
Chapter 5 4 Dan C. Marinescu
Virtualization
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example - a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example - a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example - a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples - virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Cloud Computing: Theory and Practice.
Chapter 5 5 Dan C. Marinescu
Layering
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
Layering in a computer system.
Hardware.
Software.
Operating system.
Libraries.
Applications.
.
Need for Virtualization – Pros and cons of Virtualization – Types of Virtualization –System VM, Process VM, Virtual Machine monitor – Virtual machine properties - Interpretation and binary translation, HLL VM - supervisors – Xen, KVM, VMware, Virtual Box, Hyper-V.
A Rookie-level presentation on Virtualization, and a sneak peek Cloud Computing.
This is a presentation created for a seminar presentation on Cloud and Virtualization Technologies.
Under normal conditions, this presentation may take upto 20-40 mins to complete.
Created and presented in Oct 2014.
Virtualization is a new method regarding using computing resources efficiently, by maximizing energy efficiency, extend the life of the hardware and also recycles. Virtualization technology is a system of work done by the software can merge some real physical systems into a single virtual form commonly known as virtualization without prejudice advantages over the single system. Of course, this system can reduce the amount of hardware, electrical energy consumption and time used thereby increasing the level of efficiency and effectiveness. Also, virtualization certainly reduces heat energy arising from the number of installed hardware, thereby reducing the increase in temperature geothermal (Global Warming). Some virtualization includes Server Virtualization, Network Virtualization, Memory Virtualization, Grid Computing, Application Virtualization, Storage Virtualization, Virtualization and Thin Client Platform.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Disco: Running Commodity Operating Systems on Scalable Multiprocessors DiscoMagnus Backman
Disco: Running Commodity Operating Systems on Scalable Multiprocessors
VMware started as a grad school project out of Stansford university.
Many servers were under utilized so Project Disco was born.
Yes, VMware was originally called Project Disco.
In fact both GOOGLE and Project Disco started out together as grad projects.
Chapter 5 – Cloud Resource
Virtualization
Contents
Virtualization.
Layering and virtualization.
Virtual machine monitor.
Virtual machine.
Performance and security isolation.
Architectural support for virtualization.
x86 support for virtualization.
Full and paravirtualization.
Xen 1.0 and Xen 2.0.
Performance comparison of virtual machine monitors.
The darker side of virtualization.
Software fault isolation.
Cloud Computing: Theory and Practice. Chapter 5 2 Dan C. Marinescu
Motivation
There are many physical realizations of the fundamental
abstractions necessary to describe the operation of a computing
systems.
Interpreters.
Memory.
Communications links.
Virtualization is a basic tenet of cloud computing, it simplifies the
management of physical resources for the three abstractions.
The state of a virtual machine (VM) running under a virtual machine
monitor (VMM) can de saved and migrated to another server to
balance the load.
Virtualization allows users to operate in environments they are
familiar with, rather than forcing them to idiosyncratic ones.
Cloud Computing: Theory and Practice.
Chapter 5 3 Dan C. Marinescu
Motivation (cont’d)
Cloud resource virtualization is important for:
System security, as it allows isolation of services running on
the same hardware.
Performance and reliability, as it allows applications to migrate
from one platform to another.
The development and management of services offered by a
provider.
Performance isolation.
Cloud Computing: Theory and Practice.
Chapter 5 4 Dan C. Marinescu
Virtualization
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example - a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example - a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example - a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples - virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Cloud Computing: Theory and Practice.
Chapter 5 5 Dan C. Marinescu
Layering
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
Layering in a computer system.
Hardware.
Software.
Operating system.
Libraries.
Applications.
.
Chapter 5 – Cloud Resource
Virtualization
Contents
Virtualization.
Layering and virtualization.
Virtual machine monitor.
Virtual machine.
Performance and security isolation.
Architectural support for virtualization.
x86 support for virtualization.
Full and paravirtualization.
Xen 1.0 and Xen 2.0.
Performance comparison of virtual machine monitors.
The darker side of virtualization.
Software fault isolation.
Cloud Computing: Theory and Practice. Chapter 5 2 Dan C. Marinescu
Motivation
There are many physical realizations of the fundamental
abstractions necessary to describe the operation of a computing
systems.
Interpreters.
Memory.
Communications links.
Virtualization is a basic tenet of cloud computing, it simplifies the
management of physical resources for the three abstractions.
The state of a virtual machine (VM) running under a virtual machine
monitor (VMM) can de saved and migrated to another server to
balance the load.
Virtualization allows users to operate in environments they are
familiar with, rather than forcing them to idiosyncratic ones.
Cloud Computing: Theory and Practice.
Chapter 5 3 Dan C. Marinescu
Motivation (cont’d)
Cloud resource virtualization is important for:
System security, as it allows isolation of services running on
the same hardware.
Performance and reliability, as it allows applications to migrate
from one platform to another.
The development and management of services offered by a
provider.
Performance isolation.
Cloud Computing: Theory and Practice.
Chapter 5 4 Dan C. Marinescu
Virtualization
Simulates the interface to a physical object by:
Multiplexing: creates multiple virtual objects from one instance
of a physical object. Example - a processor is multiplexed
among a number of processes or threads.
Aggregation: creates one virtual object from multiple physical
objects. Example - a number of physical disks are aggregated
into a RAID disk.
Emulation: constructs a virtual object from a different type of a
physical object. Example - a physical disk emulates a Random
Access Memory (RAM).
Multiplexing and emulation. Examples - virtual memory with
paging multiplexes real memory and disk; a virtual address
emulates a real address.
Cloud Computing: Theory and Practice.
Chapter 5 5 Dan C. Marinescu
Layering
Layering – a common approach to manage system complexity.
Minimizes the interactions among the subsystems of a complex
system.
Simplifies the description of the subsystems; each subsystem is
abstracted through its interfaces with the other subsystems.
We are able to design, implement, and modify the individual
subsystems independently.
Layering in a computer system.
Hardware.
Software.
Operating system.
Libraries.
Applications.
.
Need for Virtualization – Pros and cons of Virtualization – Types of Virtualization –System VM, Process VM, Virtual Machine monitor – Virtual machine properties - Interpretation and binary translation, HLL VM - supervisors – Xen, KVM, VMware, Virtual Box, Hyper-V.
A Rookie-level presentation on Virtualization, and a sneak peek Cloud Computing.
This is a presentation created for a seminar presentation on Cloud and Virtualization Technologies.
Under normal conditions, this presentation may take upto 20-40 mins to complete.
Created and presented in Oct 2014.
Virtualization is a new method regarding using computing resources efficiently, by maximizing energy efficiency, extend the life of the hardware and also recycles. Virtualization technology is a system of work done by the software can merge some real physical systems into a single virtual form commonly known as virtualization without prejudice advantages over the single system. Of course, this system can reduce the amount of hardware, electrical energy consumption and time used thereby increasing the level of efficiency and effectiveness. Also, virtualization certainly reduces heat energy arising from the number of installed hardware, thereby reducing the increase in temperature geothermal (Global Warming). Some virtualization includes Server Virtualization, Network Virtualization, Memory Virtualization, Grid Computing, Application Virtualization, Storage Virtualization, Virtualization and Thin Client Platform.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. CS5204 –
Operating Systems
Virtualization
2
Concepts
James Smith, Ravi Nair, “The Architectures of Virtual Machines,” IEEE Computer, May 2005, pp. 32-38.
Mendel Rosenblum, Tal Garfinkel, “Virtual Machine Monitors: Current Technology and Future Trends,” IEEE Computer, May 2005, pp. 39-47.
L.H. Seawright, R.A. MacKinnon, “VM/370 – a study of multiplicity and usefulness,” IBM Systems Journal, vol. 18, no. 1, 1979, pp. 4-17.
S.T. King, G.W. Dunlap, P.M. Chen, “Operating System Support for Virtual Machines,” Proceedings of the 2003 USENIX Technical Conference,
June 9-14, 2003, San Antonio TX, pp. 71-84.
A. Whitaker, R.S. Cox, M. Shaw, S.D. Gribble, “Rethinking the Design of Virtual Machine Monitors,” IEEE Computer, May 2005, pp. 57-62.
G.J. Popek, and R.P. Goldberg, “Formal requirements for virtualizable third generation architectures,” CACM, vol. 17 no. 7, 1974, pp. 412-421.
References and Sources
3. CS5204 –
Operating Systems
Virtualization
3
Definitions
Virtualization
A layer mapping its visible interface and resources onto the
interface and resources of the underlying layer or system on
which it is implemented
Purposes
Abstraction – to simplify the use of the underlying resource (e.g., by
removing details of the resource’s structure)
Replication – to create multiple instances of the resource (e.g., to simplify
management or allocation)
Isolation – to separate the uses which clients make of the underlying
resources (e.g., to improve security)
Virtual Machine Monitor (VMM)
A virtualization system that partitions a single physical
“machine” into multiple virtual machines.
Terminology
Host – the machine and/or software on which the VMM is implemented
Guest – the OS which executes under the control of the VMM
4. CS5204 –
Operating Systems
Virtualization
4
Origins - Principles
Efficiency
Innocuous instructions should
execute directly on the hardware
Resource control
Executed programs may not affect
the system resources
Equivalence
The behavior of a program executing
under the VMM should be the same as
if the program were executed directly
on the hardware (except possibly for
timing and resource availability) Communications of the ACM, vol 17, no 7, 1974, pp.412-421
“an efficient, isolated duplicate of the real machine”
5. CS5204 –
Operating Systems
Virtualization
5
Origins - Principles
Instruction types
Privileged
an instruction traps in unprivileged (user) mode but not in privileged (supervisor) mode.
Sensitive
Control sensitive –
attempts to change the memory allocation or privilege mode
Behavior sensitive
Location sensitive – execution behavior depends on location in memory
Mode sensitive – execution behavior depends on the privilege mode
Innocuous – an instruction that is not sensitive
Theorem
For any conventional third generation computer, a virtual machine monitor may be constructed if
the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
Signficance
The IA-32/x86 architecture is not virtualizable.
6. CS5204 –
Operating Systems
Virtualization
6
Origins - Technology
Concurrent execution of multiple production operating systems
Testing and development of experimental systems
Adoption of new systems with continued use of legacy systems
Ability to accommodate applications requiring special-purpose OS
Introduced notions of “handshake” and “virtual-equals-real mode” to allow
sharing of resource control information with CP
Leveraged ability to co-design hardware, VMM, and guestOS
IBM Systems Journal, vol. 18, no. 1, 1979, pp. 4-17.
7. CS5204 –
Operating Systems
Virtualization
7
VMMs Rediscovered
Server/workload consolidation (reduces “server sprawl”)
Compatible with evolving multi-core architectures
Simplifies software distributions for complex environments
“Whole system” (workload) migration
Improved data-center management and efficiency
Additional services (workload isolation) added “underneath” the OS
security (intrusion detection, sandboxing,…)
fault-tolerance (checkpointing, roll-back/recovery)
VMM
VirtualVirtual
MachineMachine
Guest OS
Application
VirtualVirtual
MachineMachine
Guest OS
Application
VirtualVirtual
MachineMachine
Guest OS
Application
Real
Machine
8. CS5204 –
Operating Systems
Virtualization
8
Architecture & Interfaces
Architecture: formal specification of a system’s interface and the logical
behavior of its visible resources.
Hardware
System ISA User ISA
Operating
System
System Calls
Libraries
Applications
ISA
ABI
API
API – application binary interface
ABI – application binary interface
ISA – instruction set architecture
9. CS5204 –
Operating Systems
Virtualization
9
VMM Types
System
Process
Provides ABI interface
Efficient execution
Can add OS-independent
services (e.g., migration,
intrustion detection)
Provdes API interface
Easier installation
Leverage OS services (e.g.,
device drivers)
Execution overhead (possibly
mitigated by just-in-time
compilation)
10. CS5204 –
Operating Systems
Virtualization
10
System-level Design Approaches
Full virtualization (direct execution)
Exact hardware exposed to OS
Efficient execution
OS runs unchanged
Requires a “virtualizable” architecture
Example: VMWare
Paravirtualization
OS modified to execute under VMM
Requires porting OS code
Execution overhead
Necessary for some (popular) architectures (e.g., x86)
Examples: Xen, Denali
12. CS5204 –
Operating Systems
Virtualization
12
System VMMs
Structure
Type 1: runs directly on host hardware
Type 2: runs on HostOS
Primary goals
Type 1: High performance
Type 2: Ease of
construction/installation/acceptability
Examples
Type 1: VMWare ESX Server, Xen, OS/370
Type 2: User-mode Linux
Type 1
Type 2
13. CS5204 –
Operating Systems
Virtualization
13
Hosted VMMs
Structure
Hybrid between Type1 and Type2
Core VMM executes directly on hardware
I/O services provided by code running on HostOS
Goals
Improve performance overall
leverages I/O device support on the HostOS
Disadvantages
Incurs overhead on I/O operations
Lacks performance isolation and performance
guarantees
Example: VMWare (Workstation)
15. CS5204 –
Operating Systems
Virtualization
15
Strategies
De-privileging
VMM emulates the effect on system/hardware
resources of privileged instructions whose
execution traps into the VMM
aka trap-and-emulate
Typically achieved by running GuestOS at a lower
hardware priority level than the VMM
Problematic on some architectures where
privileged instructions do not trap when executed
at deprivileged priority
Primary/shadow structures
VMM maintains “shadow” copies of critical
structures whose “primary” versions are
manipulated by the GuestOS
e.g., page tables
Primary copies needed to insure correct
environment visible to GuestOS
Memory traces
Controlling access to memory so that the shadow
and primary structure remain coherent
Common strategy: write-protect primary copies
so that update operations cause page faults
which can be caught, interpreted, and emulated.
resource
vmm
privileged
instruction
trap
GuestOS
resource
emulate change
change
16. CS5204 –
Operating Systems
Virtualization
16
Virtualizing the IA-32 (x86) architecture
Architecture has protection rings 0..3 with OS normally in ring 0 and
applications in ring 3…
…and VMM must run in ring 0 to maintain its integrity and control
…but GuestOS not running in ring 0 is problematic:
Some privileged instructions execute only in ring 0 but do not fault when
executed outside ring 0 (remember privileged vs. sensitive?)
instructions for low latency system calls (SYSENTER/SYSEXIT) always
transition to ring 0 forcing the VMM into unwanted emulation or overhead
For the Itanium architecture, interrupt registers only accessible in ring 0;
forcing VMM to intercept each device driver access to these registers has
severe performance consequences
Masking interrupts can only be done in ring 0
Ring compression: paging does not distinguish privilege levels 0-2,
GuestOS must run in ring 3 but is then not protected from its applications
also running in ring 3
Cannot be used for 64-bit guests on IA-32
The fact that it is not running in ring 0 can be detected (is this important?)
17. CS5204 –
Operating Systems
Virtualization
17
Memory Management
Isolation/protection of
Guest OS address spaces
Efficient MM address
translation
VMM
machine
VMM GuestOS
“shadow” page tables page tables
process
virtual
OS
physical
entity
address space