Virtualization

Virtualization Introduction

Virtualization is an abstraction layer that decouples the physical hardware from the operating system to deliver greater IT resource utilization and flexibility.Virtualization allows multiple virtual machines, with heterogeneous operating systems (e.g., Windows 2003 Server and Linux) and applications to run in isolation,side-by-side on the same physical machine.

• Terms
  • virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
  • virtual machine is the representation of a physical machine by software. It has its own set of virtual hardware (e.g., RAM, CPU, NIC, hard disks, etc.) upon which an operating system and applications are loaded.

• Platform Virtualization
  • The original sense of the term virtualization, dating from the 1960s, is in the creation of a virtual machine[citation needed] using a combination of hardware and software. For convenience, we will call this platform virtualization. The term virtual machine apparently dates from the experimental IBM M44/44X system. The creation and management of virtual machines has also been referred to as creating pseudo machines, in the early CP-40 days, and server virtualization more recently. The terms virtualization and virtual machine have both also acquired additional meanings through the years.
  • Platform virtualization is performed on a given hardware platform by host software (a control program), which creates a simulated computer environment, a virtual machine, for its guest software. The guest software, which is often itself a complete operating system, runs just as if it were installed on a stand-alone hardware platform. Typically, many such virtual machines are simulated on a single physical machine, their number limited only by the host's hardware resources. Typically there is no requirement for a guest OS to be the same as the host one. The guest system often requires access to specific peripheral devices to function, so the simulation must support the guest's interfaces to those devices. Trivial examples of such devices are hard disk drive or network interface card.

• Resource Virtualization
  • The basic concept of platform virtualization, described above, was later extended to the virtualization of specific system resources, such as storage volumes, name spaces, and network resources. Resource aggregation, spanning, or concatenation combines individual components into larger resources or resource pools.

System Security and Virtualization

• Advantage of using virtualization in strengthening system security
  • Virtualization technology provide new chances to practically strengthen system security.

Hardening OS Using Virtualization Technology

Making an operating system "trustworthy" proves to be a non-trivial task. On the one hand, to talk about trust in the context of a commodity operating system seems not very meaningful. On the other hand, to design and realize a new OS from scratch with trust and security as a priori design considerations should be a grandiose task beyond the scope of our current work.

We take a practical approach to "hardening" a commodity OS by working on virtual machine monitor (VMM) techniques. A VMM is a layer of the most privileged code which has been abstracted from the rest of the OS. In the virtual machine architecture, this code is placed in the layer under the rest of the OS and specializes the functions of intercepting, monitoring and processing service calls from processes to the OS and the underlying hardware systems. For example, a cut-and-paste action from one process (e.g., a web page viewing application) to another (e.g., a document editor) will cause the following events in the OS: it first issues a service call for a read access to a memory location used by the former process, it then issues another call for a write access to a memory location of the latter process. If this OS is on top of a VMM, then these calls will all be first intercepted by the VMM to be relayed to and from the hardware layer under. A VMM can serve a plural number of (even different) OSes to use one piece of hardware resources. To this end we can see that, in essence, the VMM acts as a middle man in between not only processes but also a process and the OS kernel. All inter-process communications and inter-process-OS communications will be intercepted by the VMM.

The above behavior of the VMM is privileged and mandatory. A malicious entity, even controlling the OS kernel, cannot cause a deviation for the interception behavior of the VMM to be bypassed, unless the VMM code is modified by the attacker (then see our countermeasure from TCG technologies to be described in a moment). A malicious OS kernel can refuse to cooperate with the VMM, and this seems to be the only feasible attack which is of course not very interesting in collaborated computing applications. This property of nondeviation is essential for achieving a meaningful sense of entrusting in the system's behavior. In our use of the VMM, we focus on the following functions:

1. Interposition
2. Isolation
3. I/O Sealing

External links

• An introduction to Virtualization A very good article examining the history of virtualization and its current status.
• The Xen virtual machine monitor
• The Effect of Virtualization on OS Interference in PDF format.
• Xen the Art of Virtualization from co-author Tim Harris Microsoft Research Cambridge (UK)
• Linux Virtualization Software An article written by M. Tim Jones, Emulex Corp.
• Virtualization: The Big Picture- An article written by Andy Conoops, Operations Director of the Virtualisation Academy
• Debate: Virtualization - will it change the way we use servers forever? - Video
• The Pros and Cons of Virtualization
• Basic END user Guide for Virtual PC 2007 Microsoft Virtual PC 2007 for Desktop Virtualization.
• Using a hypervisor to reconcile GPL and proprietary embedded code white paper from LinuxDevices? .com
• InfoWorld InfoClip video: Server Virtualization
• InfoWorld InfoClip video: Storage Virtualization
• Eric Trout on Windows Server Virtualization
• Virtualization Limitations
• Mark Kaelin—Grid computing: A skeptic's perspective

Comments