Virtualization and its application
Transcript of Virtualization and its application
Virtualiza)on and its Applica)ons
Tatsuo Nakajima1, Kenji Kono2, Yoichi Ishiwata3, Kenichi Kourai4, Shuichi Oikawa5, Hiroshi Yamada2,
Hiromasa Shimada1, Yuki Kinebuchi1, Tomohiro Miyahira6
1Waseda University, 2Keio University, 3AIST,
4Kyushu Ins)tute of Technology, 5University of Tsukuba, 6Dependable Embedded OS Research and Development Center
Outline • Contribu)ons to the DEOS project • Overview • D-‐System Monitor
– Monitoring OS behavior – Securing security soTware – The monitoring service
• D-‐Visor – SPUMONE: a mul)-‐core processor based virtualiza)on layer for embedded systems
– ART-‐Linux: a virtualiza)on layer for hard real-‐)me systems
– Verifica)on technique for virtualiza)on layers • Dis)nc)ve features • Demonstra)on
Contribu)ons to DEOS • Open systems development process consists of: – Requirements/environment change accommoda)on cycle,
– Failure reac)ng cycle. • The ac)ons of the failure reac)ng cycle include: – failure preven)on – responsive ac)on – cause analysis
• Virtualiza)on is parts of D-‐fops. – D-‐System Monitor, – D-‐Visor.
D-fops System configuration
DEOS Development Process
can be contributed by virtualization
Cause analysis
Responsive ac)on
Failure preven)on
D-‐System Monitor D-‐Visor
Overview • D-‐Visor supports the dependability of an OS (opera)ng system) by monitoring it from the outside. – The dependability of OSes is threatened by the complexity of OSes and a`acks targe)ng OSes.
• D-‐System Monitor monitors the I/O data and internal data structures of the monitored OS kernel. ⇒ D-‐System Monitor detects erroneous states and behavior in the kernel level, and removes the causes if possible.
D-System Monitor
D-Visor
Monitored OS Kernel (Linux)
I/O to/from Devices
Monitoring I/O
Monitoring Internal Structures Detection and Removal of Erroneous States
D-Visor
Monitored OS D-System Monitor
I/O
D-‐System Monitor • D-‐System Monitor guarantees the OS is working as expected. – The OS offers security mechanisms such as authen)ca)on, authoriza)on, and access control, and they cannot be trusted if the OS is hijacked.
• Hijacking OSes is one of the most serious threats. • Monitors the run)me behavior and internal data structures of the OS kernel from the outside. – Can inspect I/O opera)ons, internal data structures, the access to privileged registers, the execu)on of privileged instruc)ons, precisely.
• The monitored OS cannot deceive those behaviors. – Difficult to compromise D-‐system Monitor due to Isola)on of virtual machines.
– In open systems, the mechanisms would evolve as the demand of applica)ons changes.
Monitoring OS Behavior • The OS infected by malware is NOT opera)ng in a regular way
– E.g. If the OS is infected by a keylogger • The OS issues disk I/O and/or network I/O every key input due to the key
logging ac)vi)es • Detects malware by observing the OS behavior inside
the VMM layer – Injects events to the monitored OS
• Events: System calls, hardware/soTware interrupts, etc. – Observes the reac)ons of the monitored OS to the injected events
• Reac)ons: Access to the devices, control registers, etc.
VMM Hardware
OS
Applications
Virtual KBD Virtual NIC Virtual HDD
・ Injects system calls ・ Observes the results ・ Injects interrupts
・ Observes the access to devices, control registers etc.
Virtual CPU
Securing Security SoTware • Offloading security soTware enables exis)ng soTware to be executed more securely. – Security soTware is moved to the monitoring VM.
• D-‐Visor introduces a new unit for resource management, named a resource cage. – A resource cage manages resources used by both security soTware and the monitored VM.
– D-‐Visor can control resource alloca)on to both in total as before the offloading.
• The monitoring VM provides a new execu)on environment, named VM shadow. – Exis)ng soTware can monitor the monitored VM transparently. D-Visor
Monitored VM Monitoring VM
resource cage
security software
VM shadow
The Monitoring Service
• Checking the kernel data structures of Linux directly • In order to detect rootkits that infects the kernel data structures
• Accessing Linux kernel data structures without locking • Local memory protects the monitoring service from Linux
Core0 Core1 Core2 Core3
MS
Linux KernelData
Structure
IntegrityCheck
Local Memory
Attack
MS: Monitoring Service
inconsistent caseconsistent case
!"#$%&$'()$*+
,)-%
."#)$"/)#0'%/1)*%
2)#3&4%/#%5
!+6#0%7 877%7
,)-%
."#)$"/)#0'%/1)*%
2)#3&4%/#%5
$9 $:
(1) t1,t1,t2
(2) t2;/"*%<<%<=
2)<$
>?76$%
<$6/$=$/61%/<)#0 %#7=$/61%/<)#0
D-Visor
Monitored OS D-System Monitor
I/O
D-‐Visor • Infrastructure to accommodate
OS and D-‐System Monitor. – Provision of isola)on.
• spa)al and temporal. – Prac)cal solu)on for embedded systems.
• Less overheads. • No hardware assisted virtualiza)on support necessary.
• Developing two implementa)ons focusing on mul)-‐core processors for embedded systems. – SUPMONE: lightweight D-‐Visor for embedded systems. – ART-‐Linux: D-‐Visor for hard real-‐)me systems.
• Verifica)on by model checking. – Provision of a specifica)on descrip)on of a virtualiza)on layer.
• DEOS project’s verifica)on team is developing a model checker. – DEOS model checker verifies the descrip)on and checks the correct uses of lock variables, pointers, and processor hardware.
SPUMONE: A Mul)-‐core Processor based Virtualiza)on Layer for Embedded Systems
• Mapping and scheduling of virtual cores on physical cores dynamically. • Reducing interrupt latency without degrading real-‐)me performance. • Isola)ng RTOS from GPOS without requiring special virtualiza)on hardware
supports. • Detec)ng the integrity viola)ons in OS kernels.
ART-‐Linux
• ART-‐Linux embeds a virtualiza)on layer to provide a mul)-‐Linux environment.
• By dividing the computa)onal resources and alloca)ng them sta)cally during ini)aliza)on, mul)ple OSes can run without degrading real-‐)me performance. – The memory is divided into several areas by physical address. – Whether the original Linux kernel or ART-‐Linux can be selected as the OS
kernel. – Peripheral devices are assigned to each OS by PCI device number.
• On this D-‐Visor, temporal isola)on must be priori)zed and spa)al isola)on is not provided.
C0 C1 C2 C3 C4 C5 C6 C7
Shared
SMP Linux ART ART ART ART
Memory
Core
OS kernel
Hard disk VGA Network Network AD, DA, Counter
Peripheral Device
Verifica)on Technique for Virtualiza)on Layers
Virtualiza)on Layer Program
Hardware Specifica)on
Both are checked to verify correct operations to hardware in order to avoid fatal errors.
• Virtualiza)on layers can also be a cause of failures while they are introduced in order to reinforce the dependability of systems.
• Verify a virtualiza)on layer by model checking. – DEOS model checker can verify the safety proper)es of C programs.
– DEOS model checker verifies the specifica)on descrip)on and checks the correct uses of lock variables, pointers, and hardware (processor and devices).
Dis)nc)ve Features of D-‐System Monitor • Difficult to be compromised due to the isola)on mechanism offered by virtual machines. – Safely inspects the monitored OS kernel.
• In open systems, the OS is NOT trusted.
• Can adapt to the change of open system environments. – D-‐System Monitor is replaceable like a plug-‐in.
• We can choose a proper D-‐system Monitor module to meet the demand of the execu)on environments.
• Our modules can tune their parameters to monitor the OS behavior according to the current situa)on.
Dis)nc)ve Features of D-‐Visor • SPUMONE improves dependability by mul)-‐core.
– Core local memory for lightweight protec)on and reliability management.
– Dynamic VCPU/physical core management for lower power consump)on.
• ART-‐Linux embeds a virtualiza)on layer to provide a mul)-‐Linux environment. – User-‐level periodic execu)on with high frequency and low ji`er at microsecond accuracy.
• Verifica)on of a virtualiza)on layer by model checking. – Verifies and enforces correct opera)ons to hardware by tracing the opera)ons.
– Those opera)ons can be across mul)ple invoca)ons.
Demonstra)ons • D-‐System Monitor
– FoxyKBD: key logger detector – The monitoring service
• D-‐Visor – SPUMONE: a mul)-‐core processor based virtualiza)on layer for embedded systems
– ART-‐Linux: a virtualiza)on layer for hard real-‐)me systems
• Verifica)on Technique – Model checking a virtualiza)on layer.