Virtualization Structures /

Tools and Mechanisms

 Virtualization
hypervisor provides hypercalls for the guest
OSes and applications
A hypervisor can assume a micro-kernel
architecture Or it can assume a monolithic
hypervisor
Micro-kernel hypervisor includes only the
basic and unchanging functions
device drivers and other changeable
components are outside the hypervisor
Monolithic hypervisor implements all the
aforementioned functions, including those of the
device drivers
 Xen Architecture
VMM, which Allows users to dynamically instantiate
an operating system
 Hosts operating systems like Linux and Windows
Multiple operating systems can run simultaneously and
perform different tasks
 completely software based and requires no
special
hardware support

8-Feb-
19
 Xen Architecture
 Support unmodified application binaries

implements all the mechanisms, leaving the policy to be

handled by Domain 0,

Core components of a Xen system are the

hypervisor, kernel, and applications

Not all guest OSes are created equal, and one

in particular controls the others

guest OS, which has control ability, is called Domain 0,

and the others are called Domain U
 Xen Architecture
Domain 0 is a privileged guest OS which is first loaded
when Xen boots without any file system driver

Use para-virtualization to provide high performance and

good resource isolation
• The guest operating system has to be modified to run on
the Virtual Machine Monitor.
• Specifically, the guest OS can no longer execute in ring 0,
because that ring is now occupied by the VMM.
• The guest OS has to be modified to run outside of ring 0
 Xen Architecture

8-Feb-
19
Xen Architecture
 Xen Architecture
Domain 0 is designed to access hardware
directly and manage devices.
So, one of the responsibilities of Domain 0 is
to allocate and map hardware resources for the
guest domains
Domain 0, behaving as a VMM, allows users to
create, copy, save, read, modify, share, migrate,
and roll back VMs as easily as manipulating a file,
If Domain 0 is compromised, the hacker can
control the entire system. So, in the VM system,
security policies are needed to improve the
security of Domain 0
 Binary Translation with Full Virtualization

Depending on implementation technologies, hardware

virtualization may be either full virtualization and host-
based virtualization
Full virtualization does not need to modify the host
OS.
It relies on binary translation to trap and to virtualize
the execution of certain sensitive, nonvirtualizable
instructions
noncritical instructions run on the hardware directly
while critical instructions are discovered and replaced
with traps into the VMM to be emulated by software
 Binary Translation with Full Virtualization

VMM instruction
scans stream identifies
and
privileged, the
control
behavior-sensitive instructions
 When andinstructions
these
are identified, are
they
trapped into
emulates VMM,behavior
the which of
these instructions.
This method used in this emulation is
called binary translation
 Host Based Virtualization
 Dedicated applications may run on the VMs.
Certainly, some other applications can also
run with the host OS directly
 host-based architecture has flexibility
 Para Virtualization
 Needs to modify the guest OS
para-virtualization attempts to reduce
virtualization overhead, the thus
and
performance by modifying only the guest OS improve
kernel

VIRTUALIZATION
8-Feb- 12
19 Dr.S.Sundararaja
n
 Para Virtualization

 The OSes are para-virtualized. They are

guest by an intelligent compiler to replace the
assisted
nonvirtualizable OS instructions by as
hypercalls illustrated
traditional x86 processor offers four instruction
execution rings: Rings 0, 1, 2, and 3.
The lower the ring number, the higher the privilege
of instruction being executed. The OS is
responsible
for managing the hardware and the
privileged instructions
applications run at Ring 3 to execute at
VIRTUALIZATION
Ring 13
 Para Virtualization

VIRTUALIZATION
8-Feb- 14
19 Dr.S.Sundararaja
n
 Para Virtualization with Compilation
Support
 Para-virtualization handles these instructions
at compile time.
 The guest OS kernel is modified to replace
the privileged and sensitive
 Guest OS running at Ring 1 instead of at R 0.
 It implies that the guest OS may not be able
to execute some privileged and sensitive
instructions.
 Para Virtualization with Compilation
Support
 The privileged instructions are implemented by
hypercalls to the hypervisor.
 After replacing the instructions with hyper calls,
the modified guest OS emulates the behavior of the
original guest OS