CLOUD COMPUTING

ASSIGNMENT

SUBMITTED BY
AJAY ANEJA
2018ht12620
Q: It has been discussed that x86 architecture supports virtualization
and that the sensitive or privileged instructions becomes a concern in
the construction of VMM for a processor in any architecture. Identify
such sensitive instructions in x86 architecture and analyze the problem
that each of these instructions posses for virtualization.

Virtualization:
Virtualization is a technology that allow the user to create multiple virtual/ simulated
environment using single physical hardware system.
Purpose of the virtualization:
 Abstraction:- to simplify the use of the underlying resources.
 Replication: To create multiple instances of the resources.
 Isolation: to separate the uses which clients make of the underlying resources.

Virtual Machine Monitor(VMM):

A Software that connects directly to the hardware and allows partition of the single system
into multiple simulated environment.
The physical system, equipped with the software that allows the virtualization possible, is
called the host, whereas the VM’s which uses the resources of the host machine are called
guests. These guests treat computing resources- like CPU, memory, and storage as a pool of
resources that can easily be relocated.

Hypervisor is such software that allows Virtualization possible.

In 1974 Popek and Goldberg claimed that in order to build an effective hypervisor all
sensitive instruction, i.e., the instruction which can change resource availability or
configuration, should be privileged instructions.
Popek and Goldberg’s Ideal Virtual Machine Characteristics, i.e., VMM should present the below
three properties

 Equivalence
A program running under the VMM should exhibit a behavior essentially identical to that
demonstrated when running on an equivalent machine directly. i.e., virtual machine
should show identical environment and behavior with physical machine.
 Resource control
The VMM must be in complete control of the virtualized resources and resources for all
the guest machines should be isolated.
 Efficiency
A statistically dominant fraction of machine instructions must be executed without VMM
intervention, i.e., most instructions should be directly executed by processor.

X86 Architecture:
x86 is a family of instruction set architectures based on the Intel 8086 mircroprocessor and its
variant 8088.
The x86 architecture primarily handles programmatic functions and provides services, such
as memory addressing, software and hardware interrupt handling, data type, registers and
input/output (I/O) management
Popek and Goldberg provided the classification of instructions of an ISA to achieve
virtualization which give sufficient conditions (but not necessary) for virtualization, i.e.,
 Privileged instructions
Those instructions that trap if the processor is in user mode and do not trap if its in
system mode.
 Control Sensitive Instructions
Those instructions that attempt to change the configuration of resources in the system.
 Behavior Sensitive instruction
Those instructions whose behavior or result depends on the configuration of resources

Instructions involved sensitive registers:

 SGDT, SIDT, SLDT
 SMSW
 PUSHF, POPF
The sensitive instructions (also called IOPL-sensitive) may only be executed when CPL
(Current Privilege Level) <= IOPL (I/O Privilege Level). Attempting to execute a sensitive
instruction when CPL > IOPL will generate a GP (general protection) exception

Sensitive Registers:
Store segment descriptors which containing base address, type, length and access rights for memory
segments
 GDTR (Global descriptor table register)
 IDTR (Interrupt descriptor table register)
 LDTR (Local descriptor table register)
X86 VIRTUALIZATION CHALLENGES:
The problems faced by virtualization of the x86 architecture:
• Ring deprivileging: It is a technique in VMM which forces the guest software, i.e.,
operating system and applications to run at a privilege level greater than 0. The x86
architecture provides four protection rings, 0-3. Ring 0) where the operating system would
normally run. Since Ring-3 is based on Ring-0, any system compromise or instability directly
impacts User Mode running in Ring-3. In order to isolate Ring-0 for each virtualized guest, it
then becomes necessary to move Ring-0 closer to the guests.
Two solutions are then possible: (a) the (0/1/3) mode when the VMM, the OS, and the
application run at privilege levels 0,1 and 3, respectively; Thus, the operating system that
runs originally on ring 0 is moved to another less privileged ring like ring 1 which allowd the
VMM to control the guest OS access to resources. (b) the (0,3,3) mode when the VMM, a
guest OS, and applications run at privilege levels 0,3 and 3, respectively. The first mode is
not feasible for x86 processors in 64-bit mode, as we shall see shortly.
• Ring aliasing: it refers to the problem which arises/created when software is run at a
privilege level other than the level for which it was written, i.e., when a guest OS is forced to
run at a privilege level other than that it was originally designed for. For example, In IA-32
when the CS register2 is PUSH, the current privilege level in the CR is also stored on the
stack. Similarly, the Itanium instruction br.call saves the current privilege level into the ppl
field in the PFS register, which can be read at any privilege level.
In both cases, guest OS could easily determine that it is not running at privilege level 0

• Address space compression: a VMM uses parts of the guest address space to store
several system data structures such as the interrupt-descriptor table and the global-descriptor
table. Such data structures must be protected, but the guest software must have access to
them.
For IA-32, these structures include the IDT and the GDT, which reside in the linear-address
space. For the Itanium architecture, the structures include the IVT, which resides in the
virtual-address space.
• Non-faulting access to privileged state: Privilege-based protection prevents unprivileged
software from accessing certain components of CPU state. In most cases, such attempts cause
faults which allows VMM to emulate the desired guest instruction.
Several instructions LGDT, SIDT, SLDT and LTR loading the registers GDTR, IDTR,
LDTR, and TR can only be executed by software running at privileged level 0 because these
instructions point to data structures that control the CPU operation. Nevertheless, instructions
that store from these registers fail silently when executed at a privilege level other than 0.
This implies that a guest OS executing one of these instructions does not realize that the
instruction has failed.

• Guest system calls: Ring deprivileging can interfere with the effectiveness of facilities
in certain x86 architectures that accelerate the delivery and handling of transitions to OS
software.
For example, two instructions SYSENTER and SYSEXIT support low-latency system calls.
The first causes a transition to privilege level 0, while the second causes a transition from
privilege level 0 and fails if executed at a level higher than 0. The VMM must then emulate
every guest execution of either of these instructions and this has a negative impact on
performance.

• Interrupt virtualization: in response to a physical interrupt the VMM generates a

“virtual interrupt” and delivers it later to the target guest OS. But every OS has the ability to
mask interrupts thus, the virtual interrupt could only be delivered to the guest OS when the
interrupt is not masked. Keeping track of all guest OS attempts to mask interrupts greatly
complicates the VMM and increases the overhead.

• Access to hidden states: elements of the system state, e.g., descriptor caches for
segment registers, are hidden. In IA-32, There is no mechanism for saving and restoring the
hidden components when there is a context switch from one VM to another.
• Ring compression: Ring deprivileging uses privilege based mechanism to protect the
VMM from guest software, i.e., In order to achieve isolation among virtual machines, VMM
runs at the ring 0 and the virtual machines run runs either on 1 (0/1/3 model or ring 3(0/3/3
model)). 0/1/3 model is simpler but cannot be achieved in the x86 architecture. Thus, in order
to protect VMM code from being overwritten by guest OS and application; two mechanisms
Paging and segmentation are used. Systems running in 64-bit mode can only use paging, but
paging does not distinguish between privilege levels 0, 1, and 2, thus the guest OS must run
at privilege level 3, the so called (0/3/3) mode. This result in a guest OS running in ring 3
unprotected from user applications. Privilege levels 1 and 2 cannot be used thus, the name
ring compression.
Frequent access to privileged resources increases VMM overhead; the task-priority register
(TPR) is frequently used by a guest OS. The VMM must protect the access to this register
and trap all attempts to access it, this can cause a significant performance degradation.