The Purpose and Application of Virtualization Technology

The Purpose and Application of Virtualization Technology

September 18th, 2008
By Chris Crowley

Virtualization Technology is a method of allocating and presenting the physical resources of one piece of computer hardware to multiple operating system instances. It is used for far more than honeypots, but honeypots depend on this technology. The presentation to each operating system has the appearance of a complete, discrete system.

The history of today's virtualization is rooted in IBM Mainframe technology.[1] In 1972, IBM provided a method for segmenting the resources of its VM/370 operating system. The mainframe has tremendous computing resources, and the virtualization strategy allowed parallel use of the resources to maximize utilization.

While the mainframe hardware resources are reasonably well suited to this sort of segmentation, the x86 processor architecture is unfortunately not well suited for it. At its onset of adoption, the x86 hardware platform was relatively slim on resources. Its major benefit was its attractive low cost for a desktop system. However, that low cost advantage grew the platform into a dominant architecture present in the data center.[2]

Today's virtualization sets out to accomplish the initial goal of maximizing resource utilization, providing for the most efficient utilization of a system's hardware resources. Today's virtualization has also incorporated two additional goals. First, is the notion of utility computing. Utility computing "just works" and doesn't fail. The term comes from the notion of electrical, water or telephone utilities. This includes the notions of fault tolerance and high availability. An additional goal is management of the complex operational requirements of pairing operating systems with hardware and attempting to achieve a hardware independent operating system image.

Currently, there are four major paradigms of virtualization technology: Hosted, Binary Translation, Paravirtualization, and Hardware Assist.[3] The hosted strategy runs an application within an operating system which provides a virtual environment. Binary Translation, also referred to as "Full Virtualization" presents a software based rendition of a complete hardware image so the operating system can perform its tasks. Paravirtualization includes a thin layer of software to manage the actual hardware, and customized operating system drivers to call devices in the paravirtualized software to accomplish the presentation of a complete hardware device to the operating system. Hardware Assist takes advantage of enhanced Virtualization Technology provided by Intel[4], AMD[5] and other[6] processor architectures.

The current strategy for enterprise class virtualization is to provide a hypervisor which interfaces directly with the physical hardware. The hypervisor then presents a virtual machine monitor in which the guest operating system runs. Both the Full Virtualization and Paravirtualization strategies utilize the hypervisor model.[7]

There are several technical challenges involved in virtualizing the physical hardware. CPU privilege is a significant one. The CPU ring privilege model on a non-virtualized system sees the prioritized OS level calls running in Ring-0, which the user applications run at a lower privilege in Ring-3.[8] For a virtualized environment without hardware assist, the guest OS is run at either Ring-1 or Ring-3 so the virtual machine monitor can continue to run in Ring-0. This complicates the situation because the running guest operating system expects to run in Ring-0.[9] Other issues exist: the address space that the guest operating system expects to see what system calls are available; the system interrupt; hidden state information; direct access to privileged resources.[10] Memory addressing, Input/Output device calls, and Networking present technical challenges as well.[11]

Intel has produced VT-x and VT-i[12] and AMD[13] has produced AMD-V to add support into the processor instruction set to enhance the ability of the processors to support the virtualization efforts of the hypervisor. These technologies enable the hypervisor to use virtualization specific CPU instructions to solve some of the technical challenges that are present. They also address Memory and I/O virtualization concerns.

Hardware manufacturers have responded to industry demand for this technology. There are several reasons why it is popular. Enhanced resource utilization was the first, and is still a major reason. But current virtualization technology benefits goes beyond rack density. Infrequently used applications can be given a dedicated operating system instance, using few resources until a demand is presented. Once the demand exists, the previously dormant instance can request resources to perform its task then release those resources.

Virtualization separates the running operating system from the hardware it is running on. This means that the operating system can be moved from one piece of hardware to another. This can be utilized to address fault tolerance. The operating system that was previously running on a failed piece of hardware can be restarted on a new piece of hardware. This can be done automatically with some virtualization products. VMWare cites customers running production servers without downtimes for over three years.[14]

Further, with some virtualization products, high availability can be achieved such that the running operating system instance is moved from one piece of hardware to another with minimal latency. XenServer optimal configuration indicates latency of 30-60ms.[15] A TCP network connection would not be interrupted by this amount of latency.

Disaster Recovery and Continuing Operations Plans often leverage virtual machine technology. Reduced hardware can be stored at a DR/COOP site, and snapshots of non-critical systems can be replicated at specified intervals. Critical systems can be mirrored to a hot site.

Another benefit is the ease with which operating systems can be produced and maintained. Environments for Dev, QA, Staging, and Production can be exact replicas, cloned from the same OS image. Updates and patches can be tested on disposable clone images. Security researchers make extensive use of virtual machine instances as sandboxes for malware analysis. Developers and QA personnel run multiple client operating systems from the same desktop to test the user experience for Windows, Mac OS X, Linux, or Solaris.

But there are risks. The first is that virtualization adds another piece of software which must be tested, deployed, monitored, and patched. The second is a new threat of code execution which performs a "virtual machine escape." This threat is that a program running in a virtual machine is able to transcend the confines of the virtual container, and affect the running hypervisor, and potentially the other running virtual machines.

One example of this escape is a traversal of a VMware host-to-guest shared folder[16], discovered by Core Security[17]. This exploit leverages a feature of the VMware software which allow a user to transfer files from the guest (virtualized) server to the host system. This particular vulnerability resulted from the VMware software not properly normalizing the user input before performing sanitization, resulting in a directory traversal attack. Thus, the malicious code on the guest operating system escaped the confines of the shared folder, enabling it to write any file anywhere in the host operating system.

References, all links valid as of July 30, 200
1. http://www-03.ibm.com/systems/virtualization/view/021307.html?ca=view&met=inli&me=W&P_Site=rss
2. http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (p. 1)
3. http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (p. 2 )
4. http://www.intel.com/technology/itj/2006/v10i3/1-hardware/1-abstract.htm
5. http://www.amd.com/us-en/Processors/ProductInformation/0,,30_118_8796_14287,00.html
6. http://wiki.xensource.com/xenwiki/HardwareCompatibilityList
7. http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (p. 2)
8. http://www.intel.com/technology/itj/2006/v10i3/1-hardware/3-software.htm
9. http://www.intel.com/technology/itj/2006/v10i3/1-hardware/3-software.htm
10. http://www.intel.com/technology/itj/2006/v10i3/1-hardware/3-software.htm
11. http://xen.org/files/xenWhitePaper3.2.pdf (p. 2)
12. http://www.intel.com/technology/itj/2006/v10i3/1-hardware/5-architecture.htm
13. http://www.amd.com/us-en/Processors/ProductInformation/0,,30_118_8796_14287,00.html
14. http://www.vmware.com/files/pdf/VMware_paravirtualization.pdf (p. 4)
15. http://xen.org/files/xenWhitePaper3.2.pdf (p. 4)
16. http://kb.vmware.com/kb/1004034
17. http://www.coresecurity.com/?action=item&id=2129