Dune:&Safe&User-level&Access&to& Privileged&CPU&Features&
1y ago
40 Views
1 Downloads
573.46 KB
36 Pages
Report/dmca
Download PDF

Transcription

Dune:SafeUser- reaBi stosKozyrakisStanfordUniversity

AquickreviewofVirtualizaAonHW LastlecturetalkedaboutAMDSVM Thislecture:IntelVT- ‐x(conceptuallyverysimilar) Keyidea:– AddsorthogonalGuestandHostCPUmodes– archstatesavedandrestoredinVMCS– HWperformstransiAonsbetweenmodes VMExit- ‐ traptohypervisor(enterhostmode) VMEnter- ‐ runtheguestOS(enterguestmode)2

NormallyIDTGDTPGTBLCPLCPUVMCSEPTIDTGDTWithVT- PU(GuestMode)CPL

SomeKeyVT- ‐xInstrucAons VMLAUNCH–calledfirstAmetoenterguestmode VMRESUME–calledforsubsequententriestoguestmode VMPTRLD–setstheVMCSpointer(ordinarymemory) TheVMCSisaccessedwithVMREADandVMWRITE WhyisitnotokaytomodifyVMCSmemorydirectly? VMCALLforcesaVMexit4

HowhasVirt.HWChanged? AdamsandAgesen’sstudywas 6yearsago VMexitandVMentrynowmuchfaster Morehardwaresupport,lessneedto“trap- ‐and- ‐emulate”– IOMMU- ‐ rawpassthroughdevices– Unrestrictedguestmode- ‐ fasterboot NestedpagingHWiswidelyavailable NETRESULT:Be nt)5

VirtualizaAonHWSupporthasbecomeUbiquitous NotjustAMDandIntelx86 AvailableonARM,Itanium,Power Desktops,servers,notebooks,cellphones 6

Sowhatcanwedowithit? Isitonlyusefulforrunningvirtualmachines? ssafeaccesstoprivilegeCPUfeatures7

Outline 8

Thepowerofprivilege PrivilegedCPUfeaturesarefundamentaltokernels Butother,compellinguses:– SpeedupgarbagecollecAon(AzulC4) PagetablesprovidememoryaccessinformaAon– PrivilegeseparaAonwithinaprocess(Palladium) MMUhardwareisolatescompartments– SafenaAvecodeinwebbrowsers(Xax) Systemcallhandlerinterceptssystemcalls9

atch composabilityconcerns10

xokernelCPU Problem:mustreplaceenAreOSstack11

pervisorCPU Problem:virtualmachineshavestrictparAAoning12

DuneinaNutshellKernelAppPOSIXHostModeGuestModeCPU Providesafeuser- ‐levelaccesstoprivilegedCPUfeatures SAllanormalprocessinallways(POSIXAPI,etc) Keyidea:leverageexisAngvirtualizaAonhardware(VT- ‐x)13

eTablePTEsGuestModeCPUGuestPageTable 4

Outline 15

AvailableCPUfeatures PrivilegeModes– SYSRET,SYSEXIT,IRET VirtualMemory– MOVCRn,INVLPG,INVPCID ExcepAons– LIDT,LTR,IRET,STI,CLI SegmentaAon– LGDT,LLDT16

ModeGuestModeCPU Hostmode– Normallyusedforhypervisors– InDune,werunthekernelhere Reason:needaccesstoVT- ‐xinstrucAons

ModeGuestModeCPU Guestmode– NormallyusedbytheguestOS– InDune,werunordinaryprocesseshere Reason:needaccesstoprivilegedfeatures

ModeGuestModeCPU DuneModule( 2500LOC)– ConfiguresandmanagesvirtualizaAonhardware– upportaprocessabstracAon– UsesIntelVT- ‐x(couldeasilyaddAMDSVM)

ModeGuestModeCPU libDune( 6,000LOC)– dwarefeatures– Completelyuntrusted– pagetablemanagement,ELFloader

ProvidingaprocessabstracAon Memorymanagement Systemcalls POSIXSignals21

MemorymanagementinDune ConfiguretheEPTtoprovideprocessmemory lHost- ‐VirtualKernelPageTableDuneProcessGuest- ‐VirtualUserPageTableGuest- ‐PhysicalEPTHost- ‐Physical(RAM)22

ProcessHostModeSyscallHandlerGuestModeCPU SYSCALLwillonlytrapbackintotheprocess emcalls23

ring3)SyscallHandler de(i.e.ring3onx86) ectmemory24

SignalsinDune Signalsshouldonlybedeliveredtoring0 Whathappensifprocessisinring3? theprocesstoring0– Worksbutslowandsomewhatcomplex OursoluAon:deliversignalsasinjectedinterrupts– HardwareautomaAcallyswitchestoring0– CanuseCLIandSTItoefficientlymasksignals25

ManyimplementaAonchallenges ReducingVMexitandVMentryoverhead nel EPTdoesnotsupportenoughaddressspace Checkthepaperfordetails26

Outline 27

EvaluaAon HowmuchoverheaddoesDuneadd? WhatpotenAaldoesDunecreateforopAmizaAon? WhatisDune’sperformanceinend- ‐to- ‐endusecases?28

Overheadanalysis Twosourcesofoverhead– VMXtransiAons– 1382,68736Dune8955,09386

OpAmizaAonanalysis LargeopportuniAesforopAmizaAon– FastersystemcallinterposiAonandtraps– Moreefficientuser- 94,49694,85430

End- ‐to- ‐endcasestudies Webuiltandevaluatedthreesystems ApplicaAonsandbox( 1300LOC)– ary GarbagecollecAon(lessthan100LOCchange)– ybits PrivilegeseparaAon( 750LOC)– ssthroughuseofmulAplepageroots(withTLBtagging)31

% SlowdownSandbox:SPEC2000performanceSandboxSandbox w/ LGPGLinux w/ LGPGfoltw 2ipbz xrtevopga mkrlbpeneo rerspa pmam ytafcr keuaeqcfmtaraesmcgcrvpipgz2520151050 5 10 15 20 25 Onlynotableend- ‐to- ‐endeffectisEPToverhead Canbeeliminatedthroughuseoflargepages32

Sandbox:ligh warePlayer verhead33

Performanceofotherusecases essthan100LOC) 750LOC)34

Conclusions tures fely Aonswithoutkernelchanges Dunehasmodestperformanceoverhead DownloadDuneath p://dune.scs.stanford.edu35

FutureWork ARMsupport,AMDsupport,32- ‐bitsupport,x32support Passthroughdevicesupport(w/VT- ‐dandSR- ‐IOV) CoolapplicaAons– C4Garbagecollector?– Anawesomesandbox?36

Dune:&Safe&User-level&Access&to& Privileged&CPU&Features& Adam&Belay,&Andrea Bi au,Ali& MashAzadeh,&David&Terei, David&Mazières,&and&Christos&Kozyrakis&

Related Books

Getting started with DUNE - TU Dresden

Getting started with DUNE - TU Dresden

Chapter 19 Deserts Wind and Deserts - University of Colorado Boulder

Chapter 19 Deserts Wind and Deserts - University of Colorado Boulder

Modelling Desert Dune Fields Based on Discrete Dynamics

Modelling Desert Dune Fields Based on Discrete Dynamics

Boardwalk Interactions with a Lake Michigan Dune System

Boardwalk Interactions with a Lake Michigan Dune System

The Dune Encyclopedia: a Future History in The Age of Mechanical .

The Dune Encyclopedia: a Future History in The Age of Mechanical .

Basic Dune Physical Characteristics - Sea Grant

Basic Dune Physical Characteristics - Sea Grant

1.1 How are Sand Dunes Formed? succession - New ESS Course

1.1 How are Sand Dunes Formed? succession - New ESS Course

Beach Stabilization - Stockton University

Beach Stabilization - Stockton University

Deep Underground Neutrino Experiment: DUNE - INDICO-FNAL (Indico)

Deep Underground Neutrino Experiment: DUNE - INDICO-FNAL (Indico)

Sand Dune Species Distribution and Size Variations in Two Areas Inside .

Sand Dune Species Distribution and Size Variations in Two Areas Inside .

Dune Inventory: City of Virginia Beach

Dune Inventory: City of Virginia Beach

PopularTags

Recent Views