Formal Requirements for Virtualizable Third Generation Architectures Gerald J. Popek University of California, Los Angeles and Robert P. Goldberg Honeywell.

Slides:



Advertisements
Similar presentations
Virtualization Dr. Michael L. Collard
Advertisements

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Popek & Goldberg’s notation
Operating Systems Lecture 10 Issues in Paging and Virtual Memory Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing.
Chapter 6 Security Kernels.
Distributed Systems CS Virtualization- Part II Lecture 24, Dec 7, 2011 Majd F. Sakr, Mohammad Hammoud andVinay Kolar 1.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
G Robert Grimm New York University Disco.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
Disco Running Commodity Operating Systems on Scalable Multiprocessors.
OS Spring’03 Introduction Operating Systems Spring 2003.
Figure 1.1 Interaction between applications and the operating system.
OS Spring’04 Introduction Operating Systems Spring 2004.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Virtualization for Cloud Computing
Computer Organization and Assembly language
Distributed Systems CS Virtualization- Overview Lecture 22, Dec 4, 2013 Mohammad Hammoud 1.
虛擬化技術 Virtualization and Virtual Machines
Introduction to Virtual Machines. Administration Presentation and class participation: 40% –Each student will present two and a half times this semester.
CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.
Intel
COP 4600 Operating Systems Spring 2011 Dan C. Marinescu Office: HEC 304 Office hours: Tu-Th 5:00-6:00 PM.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Chapter 3 Process Description and Control Operating Systems: Internals and Design Principles, 6/E William Stallings Patricia Roy Manatee Community College,
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Virtualization Concepts Presented by: Mariano Diaz.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Contact Information Office: 225 Neville Hall Office Hours: Monday and Wednesday 12:00-1:00 and by appointment.
Recall: Three I/O Methods Synchronous: Wait for I/O operation to complete. Asynchronous: Post I/O request and switch to other work. DMA (Direct Memory.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems
Formal Requirements for Virtualizable Third Generation Architectures
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Vidhya Sivasankaran.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Operating Systems 1 K. Salah Module 1.2: Fundamental Concepts Interrupts System Calls.
Full and Para Virtualization
Introduction Why are virtual machines interesting?
Operating-System Structures
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Virtualizing a Multiprocessor Machine on a Network of Computers Easy & efficient utilization of distributed resources Goal Kenji KanedaYoshihiro OyamaAkinori.
© 2010 VMware Inc. All rights reserved ARM Virtualization: CPU & MMU Issues Prashanth Bungale, Sr. Member of Technical Staff.
Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine and Mendel Rosenblum Presentation by Mark Smith.
CSCI/CMPE 4334 Operating Systems Review: Exam 1 1.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
1 Virtualization "Virtualization software makes it possible to run multiple operating systems and multiple applications on the same server at the same.
CS 695 Topics in Virtualization and Cloud Computing, Autumn 2012 CS 695 Topics in Virtualization and Cloud Computing More Introduction + Processor Virtualization.
1.1 Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 1: Introduction What Operating Systems Do √ Computer-System Organization.
VIRTUALIZATION.
Introduction to Virtualization
Virtualization.
Virtualization D. J. Foreman 2009.
Virtualization Dr. Michael L. Collard
Formal Virtual Machines
Virtual Servers.
OS Virtualization.
Virtualization Techniques
Computer-System Architecture
A Survey on Virtualization Technologies
Chapter 33: Virtual Machines
Virtual machines benefits
Computer Security: Art and Science, 2nd Edition
Prof. Leonardo Mostarda University of Camerino
Chapter 33: Virtual Machines
Hypervisor A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer.
Presentation transcript:

Formal Requirements for Virtualizable Third Generation Architectures Gerald J. Popek University of California, Los Angeles and Robert P. Goldberg Honeywell Information Systems and Harvard University Published: July 1974, Volume 17, Number 7 Communications of the ACM Presented by James Owens Old Dominion University For CS795 on 11/7/2014

About the Authors Gerald J. PopekRobert P. Goldberg Alma Maters: o NYU, Nuclear Engineering o Harvard, Applied Math Notable Works: o “Popek and Goldberg Virtualization Requirements” o LOCUS, Distributed OS o CTO CarsDirect.com o CTO NetZero -> Juno o DARPA Steering Committee Died 20 July 2008 Alma Maters: o MIT, Math o Harvard, Applied Math Notable works: o “Popek and Goldberg Virtualization Requirements” o Ph.D. thesis, classification for Hypervisors Died 25 Feb 1994 Source: Wikipedia/en-us 11/2/

Significance Formally defines a minimal set of conditions which (provably) allow a computer system to support a virtual machine monitor. Foundational work, cited over 938 times. [Google Scholar, Nov 2014]

Virtual Machine (IN)CAPABLE IBM 360/67DEC-PDP 10 Image Sources:

Primary Theorem For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of privileged instructions.

Approach 1.Define a Third Generation Computer. Identify privileged and sensitive instructions. 2.Define a Virtual Machine Monitor. 3.Discuss examples and extensions.

Third Generation Computer

First Generation Computers Vacuum Tubes | Image Source

Second Generation Computers Transistors | Image Source

Third Generation Computers Integrated Circuits | Image Source

Fourth Generation Computers Microprocessors | Present Image Source

3 rd Gen. - Abstract Model Processor with supervisor and user modes o Supervisor, may use entire instruction set o User, may use a subset of instructions Linear, Uniformly Addressable memory o Executable Memory is of size Q o All addresses are a base + offset < Q Arithmetic, look-up, and copy operations exist while I/O instructions and Interrupts do not.

Primary Theorem For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of privileged instructions.

3 rd Gen. - Abstract Model State & Linear Memory State (E, M, P, R) E xecutable Memory* o Size Q M ode of processor P rogram Counter o address relative to R 0 <= P && P < B R elocation Register (L, B) o L – absolute address to a relative 0 o B – bounds of memory space as size *Note: All references to memory by the processor are relocated. Image Source:

3 rd Gen. - Abstract Model Traps All operations which violate constraints or otherwise would cause an undesirable action trap, then execute some predefined exception handler. Recall Q is the size of E and B is the size of R(l,b).

3 rd Gen. - Abstract Model Instruction Behavior Privileged instructions are those which trap in user mode, do not trap in s upervisor mode, AND do not memory trap. o A function of the physical machines ISA. o *This definition requires trapping; a NOP does not satisfy the definition.

3 rd Gen. - Abstract Model Instruction Behavior Sensitive instructions: 1. Control Sensitive: Modify resource allocation Modify processor mode 2. Behavior Sensitive: The effect of execution depends upon R(l,b) or the mode.

3 rd Gen. - Abstract Model Instruction Behavior Control Sensitive: o (Potentially) Modify memory allocation. LOAD PSW, LOAD R In English: If the MODE or R(l,b) could be different after the execution of some arbitrary instruction, then that instruction is control sensitive. o M1 != M2 o R(l,b)1 != R(l,b)2

3 rd Gen. - Abstract Model Instruction Behavior Behavior Sensitive: o Location Sensitive: LRA : Load physical address. Recall S(E,M, P,R) | R(l,b) => P o E[l + P] | l+P < B && l+P < Q o Mode Sensitive: MFPI : Move from previous instruction Effective address depends on mode.

Primary Theorem For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of privileged instructions. Recall: o Privileged Instructions trap in user mode Sensitive instructions: o modify M or R o calculate addresses dependent upon M or R

Virtual Machine Monitor

1974 DiagramModern diagram Sources: Popek Goldberg,

Virtual Machine Monitor Software with three essential characteristics: 1.Provides an environment for programs which is essentially identical to the original machine. 2.Programs (VMs) run in this environment show at worst only minor decreases in speed. 3.The VMM always has complete control of resources.

VMM: Essentially Identical Provides an essentially identical environment… Caveats: 1.Availability of system resources 1.E.g. System Bus, Memory, I/O 2.Timing dependencies due to concurrent virtual machines.

VMM: Efficiency VMs show only minor decreases in speed… A majority of instructions must run on bare metal, without software intervention by the VMM. Non-sensitive, non-privileged instructions are innocuous.

VMM: Resource Control Resources: memory, peripherals, etc.* are entirely controlled by the VMM. 1.No VM may acquire resources without the VMM. 2.The VMM can take resources away. *Note: This does not include the processor.

VMM Construction

VMM as a modular control program: 1.Dispatcher 2.Allocator 3.Interpreter(s)

VMM Construction Dispatcher, the top level control module. o Dispatcher decides what module to call. o All traps lead to the dispatcher.

VMM Construction Allocator, the system resource manager. o e.g. Memory Lookup Table. o Ensures against memory violations.

VMM Construction Interpreter(s), exception handlers. o A set of modules for each trapping instruction o One interpreter for each privileged instruction o Purpose is to simulate the effect of an instruction which traps.

Primary Theorem For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of privileged instructions.

Virtual Machine (IN)CAPABLE IBM 360/67DEC-PDP 10 Image Sources:

Why can’t the PDP-10 support a VM system? Answer: PDP-10 Instruction: JRST 1 JRST 1, return to user mode, is a supervisor control sensitive instruction which is not a privileged instruction. What does this mean? o It cannot host a VMM as defined

Questions

Recursive Virtualization A conventional third generation computer is recursively virtualizable if it is: (a)virtualizable, and (b)A VMM without any timing dependencies can be constructed for it

Hybrid Virtual Machines The PDP-10 can host a hybrid VM system because all of the user sensitive instructions are privileged. An HVM is almost identical to a VMM o More instructions are interpreted All instructions in virtual supervisor mode will be interpreted.

Proof Existential Proof, non-exclusive. State Transition tables are limited by size of theoretical machine. Use of Lemmas 1-3 in an inductive proof. * Resource Control and Efficiency are addressed by Thm.1.

Lemma 1 Innocuous instructions, as executed by the virtual machine system, obey the equivalence property.

Lemma 2 Sensitive instructions, as interpreted by the virtual machine system, obey the equivalence property.

Lemma 3 Given all single instructions obey the equivalence property, any finite sequence of instructions also obeys the equivalence property.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.