Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

  • Be the first to comment

  • Be the first to like this

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

  1. 1. Memories of a VM Funk Mihai Donțu, Engineering Manager, Bitdefender
  2. 2. Outline • 4.12 statistics • VMI on AMD • The 'Windows 10 RS4' event • The A/D bits conundrum • #VE / VMFUNC statistics with Citrix Hypervisor 8.0 • Intel Sub-Page Permission (SPP)
  3. 3. 4.12 Statistics • Xen releases since 2017's summit: 4.9, 4.10, 4.11, 4.12 • 68 patches, 45 in 4.12 alone • 5 developers: Adrian Pop, Alexandru Isăilă, Petre Pîrcălabu, Răzvan Cojocaru, Vlad Ioan Topan
  4. 4. VMI on AMD • Basic vm_event support done • All PT-walks trigger a write NPT #PF • No Intel MTF-like support • Realtime-VMI is essentialy a "no-go"
  5. 5. The 'Windows 10 RS4' event • Huge slowdown due to frequent PT modifications • Worked-around with a tiny in-guest filter (injected) • Proper solution: #VE agent • 64bit only
  6. 6. The A/D bits conundrum • We need to emulate A/D bit updates • There are three methods: • Optimistic (PTE-level): • If accessed is unset, set it • If accessed is set, set dirty if PTE is writable • Using the emulator: perform a full guest PT walk and update A/D according to the current instruction • Single-step via MTF
  7. 7. • #VE / VMFUNC statistics with Citrix Hypervisor 8.0 Firefox Chrome Opening multiple pages in multiple tabs (Y: seconds)
  8. 8. • Intel Sub-Page Permission (SPP) • Controlled by VMCS and EPTE[61] • Write protection only • Sub-page size: 128 bytes • Protect OS structures smaller than 4K • Mostly read-only but live in pages written often • Typical candidates (Windows): driver objects, IDT, HAL dispatch table
  9. 9. Q & A
  10. 10. Thank you!