class: center, middle ### Secure Computer Architecture and Systems *** # Introduction to Virtualisation --- name: def # Definition Quick and easy definition: > Virtualisation technologies are the set of software and hardware components that allow **running multiple operating systems at the same time on the same physical machine** --- template: def <div style="text-align:center"><img src="include/definition1.svg" width=800 /></div> --- template: def <div style="text-align:center"><img src="include/definition2.svg" width=800 /></div> --- template: def <div style="text-align:center"><img src="include/definition3.svg" width=800 /></div> --- template: def <div style="text-align:center"><img src="include/definition4.svg" width=800 /></div> --- template: def <div style="text-align:center"><img src="include/definition5.svg" width=800 /></div> --- template: def <div style="text-align:center"><img src="include/definition6.svg" width=800 /></div> --- template: def .center[**Fundamental challenge:** An OS expects to run alone with full privileges on a physical machine, i.e. to have total control over that physical machine's hardware! How can 2 OSes cohabit on the same host? ] --- # A Bit of History - **1960s: IBM's VM** - Project System/360 (S/360) - Family of computers of various sizes (and processing power) built using the same architecture - Client can buy a small model for testing/prototyping then possibly a large mainframe later -- - Clients then wanted to move software running on multiple small models to a single large one: **consolidation** -- - 14 models sold between 1965 and 1978, **model 67 (1966) introduced a virtualisable Instruction Set Architecture (ISA)**: - Physical machine can appear as multiple, less powerful versions of itself: **virtual machines** --- # A Bit of History (2) .leftcol[ - **1974: Popek & Goldberg theorem** - Seminal paper: *Formal Requirements for Virtualisable Third Generation Architectures* - **1990s: Disco** - Hypervisor from Stanford, first version of VMWare - **2000s: Xen, KVM, VirtualBox, Hyper-V, etc.** ] .rightcol[ <div style="text-align:center"><a href="https://dl.acm.org/doi/10.1145/361011.361073"><img src="include/popek.png" width=350 style="box-shadow: 10px 10px 5px grey; border: .1rem solid black;" /></a></div> ] --- class: inverse, middle, center # Virtualisation:<br>Motivation & Use Cases --- # Use Cases: Consolidation .leftcol[ - **Consolidation**: creating X virtual machines from X physical ones and running them on Y physical hosts (with Y < X) - Historical motivation for developing virtualisation technologies - Gives (most of) the **benefits of multi-computer systems without the management costs**: - Software dependencies - Reliability, security ] .rightcol[ <div style="text-align:center"><img src="include/consolidation.svg" width=300 /></div> ] --- # Use Cases: Software Development - Flexible **OS diversity**: different OSes on the same machine - E.g. VirtualBox with Linux for kernel development on a Windows host -- - **Rapid and cost-efficient provisioning** - Way faster than ordering and deploying physical machines -- - **VMs are self-contained** - Practical way to “pack” an application with all its software dependencies - Model and version of the OS, libraries, etc. - Useful for development, automated testing, and even deployment <div style="text-align:center"><img src="include/logos.svg" width=450 /></div> --- ## Use Cases: Checkpoint/Restart, Migration - The state of a running VM is easily identifiable hence the VM can be: - **Checkpointed and restarted**: VM's state dumped on disk, can resume later - Useful e.g. for long-running jobs -- - **Live-migrated**: transparently move a running VM between hosts: - To free physical machines for maintenance, power saving, load balancing, or when a fault is expected -- - Both techniques are straightforward for a VM as opposed to an application (i.e. a process) -- .small[ * Seminal paper: *Clark et al., _Live Migration of Virtual Machines_, NSDI'05* ] --- # Use Cases: Hardware Emulation For development, backward compatibility <div style="text-align:center"><img src="include/emulation.png" width=700 /></div> --- # Use Cases: Cloud Computing - Virtualisation enables **cloud computing** - Lets cloud providers <u>securely</u> share their computing infrastructure between clients (tenants) -- - Cloud principle: **offloading local tasks to remote computing resources**, e.g.: - Renting VMs to put a web server (IaaS) - Deploy and run a web application using Google app engine (PaaS) - Offload mail server online to Gmail/Outlook (SaaS) -- - Goals: save on management, infrastructure, development, maintenance costs <div style="text-align:center"><img src="include/logos-cloud.svg" width=400 /></div> --- # Use Cases: Security - **Virtualisation provides very strong isolation between guests** - **Sandboxing** - Cloud, virus/malware analysis, honeypots, process/task level isolation through virtualisation (e.g. QubesOS) -- - **VM introspection** - Analysis of the guest behaviour from a privileged level higher than the OS’s Guest OS cannot be trusted - E.g. LibVMI <div style="text-align:center"><img src="include/qubes.png" width=250 /></div> --- class: inverse, center, middle # Virtualisation:<br>In-depth Definition --- name: definition # Virtualisation: Definition From Bugnion et al., *Hardware and Software Support for Virtualization:* > Virtualisation is the **abstraction at a widely-used interface** of one or several components of a computer system, whereby the created virtual resource is **identical** to the virtualised component and **cannot be bypassed** by its clients -- - **Applies to a VM:** - Abstraction at the software (OS) ⇔ hardware interface - Presenting an identical virtual hardware able to run *unmodified* existing OSes - Guest OSes cannot escape this abstraction -- - **Applies to more than VMs: virtual memory, scheduling, storage solutions** --- name: more-def ## Multiplexing, Aggregation, Emulation - Virtualisation, in its general definition, is achieved by using/combining three main principles: --- template: more-def .center[ <div style="text-align:center"><img src="include/more-def1.svg" width=800 /></div> ] --- template: more-def .center[ <div style="text-align:center"><img src="include/more-def2.svg" width=800 /></div> ] --- template: more-def .center[ <div style="text-align:center"><img src="include/more-def3.svg" width=800 /></div> ] --- class: inverse, center, middle # Virtual Machines --- # Virtual Machines <div style="text-align:center"><img src="include/vm1.svg" width=800 /></div> --- # Virtual Machines <div style="text-align:center"><img src="include/vm2.svg" width=800 /></div> --- # System-level Virtual Machines .leftcol[ - **Creates a model of the *hardware* for a (mostly) unmodified operating system to run on top of it** - Each VM running on the computer has its own copy of the virtualised hardware ] .rightcol[ <div style="text-align:center"><img src="include/system1.svg" width=300 /></div> ] --- # Virtual Machines <div style="text-align:center"><img src="include/vm3.svg" width=800 /></div> --- # Virtual Machines <div style="text-align:center"><img src="include/vm4.svg" width=800 /></div> --- # Hypervisor-based VM - **A hypervisor or Virtual Machine Monitor (VMM)** creates a VM of the **same architecture** as the host. Aims to jointly achieve 3 goals: - **Equivalence**: must run unmodified guest OSes and applications - **Safety**: VMs cannot escape the isolation enforced by the hypervisor - **Performance**: VMs must run with close to native performance -- - To that aim, hypervisors rely on **direct execution** as much as possible: -- - VM code executes directly on the physical CPU, at a lower privilege level than the hypervisor (fast) -- - Only the instructions that would allow the VM to escape the VMM's control (e.g. installing a new page table) are emulated safely by the VMM (slow) -- - Achieved without modifying the guest by trapping to the VMM upon such instructions -- --- # Virtual Machines <div style="text-align:center"><img src="include/vm6.svg" width=800 /></div> --- # Type I vs. II Hypervisors <div style="text-align:center"><img src="include/vmm.svg" width=800 /></div> -- .small[ - **Resources allocation & scheduling** - Type I: done by the hypervisor - Type II: more involvement from the host OS ] --- # Virtual Machines <div style="text-align:center"><img src="include/vm5.svg" width=800 /></div> --- ## Hypervisors: Memory Denomination <br> <br> <div style="text-align:center"><img src="include/mem1.svg" width=500 /></div> --- ## Hypervisors: Memory Denomination <div style="text-align:center"><img src="include/mem2.svg" width=800 /></div> - Another level of translation added, taken care of by the hypervisor: - (guest) virtual memory → (guest) pseudo-physical memory → (host) physical memory --- class: inverse, center, middle # Wrapping Up --- # Wrapping Up - Virtualisation is a very high level concept - In this course: **running concurrently several OSes** by creating a fake model of the hardware - **System-level virtual machines** created by a hypervisor -- - Principles: **equivalence**, **safety**, **performance** - Guest OS should run (close to) unmodified - With (close to) native performance - And should (absolutely) not be able to escape its isolated environment