Formal Requirements for Virtualizable Third Generation Architectures

Grad Operating System Mini-ProjectAuthors: Gerald J. Popek, and Robert P. Goldberg

Presented by: Yiji Zhang

Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Contribution

Basic VM Concepts• Virtual Machine (VM)– efficient, isolated duplicate of the real machine– the environment created by the virtual machine monitor

Hardware

The virtual machine monitor

Basic VM Concepts• Virtual machine monitor (VMM)– a piece of software– three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Formal Definitions• Three formal definitions– Model of 3rd generation machine– Instruction behavior– Virtual machine monitor

Model of 3rd Generation Machine• Overview simplified conventional 3rd generation machine– with a processor– with linear, uniformly addressable memory– without I/O instructions– without interrupts

• Machine behaviorThe machine can exist in any one of a finite

number of states S, where S = <E, M, P, R>.

Model of 3rd Generation Machine• Behavior of the computer: state (S)

S=<E, M, P, R>

E: executable storage

M: processor mode P: program count

R: relocation-bounds register

Model of 3rd Generation Machine• Behavior of the computer: state-space (S)

S=<E, M, P, R>

E: executable storage• word or byte addressed memory;• E[i]: contents of the ith unit of

storage in E

S=<E, M, P, R>

M: processor mode2 types• supervisor (s)• user (u)

P: program count

S=<E, M, P, R>

M: processor modeP: program count• address relative to register;• index

S=<E, M, P, R>

R: relocation-bounds register R = (l, b)• relocation part l: absolute address• bound part b: absolute size of virtual

memory

Model of 3rd Generation Machine• Program status word (PSW)

the contents of the triple <M, P, R>– used for other definitions and proof later

• Instruction (i)a function from one set of states (C) to

another. i: C Ce.g. i(S1) = S2

i(E1, M1, P1, R1) = (E2, M2, P2, R2)

Model of 3rd Generation Machine• Trap 1. Definition 2. Particular kind of trap

• Trap 1. Definition

Model of 3rd Generation Machine

An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]

• Trap 1. Definition

Model of 3rd Generation Machine

An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1]1. Save the

current state

2. Pass control of a pre-specified routine by changing PSW

Model of 3rd Generation Machine• Trap 2. Particular kind of trap: memory trap– caused by accessing an address which is over the

bounds in relocation-bounds register R(l, b) or physical memory

– micro-sequence:

where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound

if a + l ≥ q then trap;if a ≥ b then trap

Instruction Behavior• privileged instruction• sensitive instruction– control sensitive instruction– behavior sensitive instruction

• innocuous instructions

Privileged Instruction• Definition

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

• Definition

• independent of the virtualization process

Instruction i is privileged iff for any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not.

Privileged Instruction

privileged instruction trap

the only difference

Sensitive Instruction• Control sensitive

– control sensitive instructions: affect or potentially affect the control of VMM over recourses

– no isolated condition codes or other complications by which instructions can interact

An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both.

Sensitive Instruction• Behavior sensitive…

Sensitive Instruction• Behavior sensitive… • First introduce new notations…– operator :⊕ r’ = r x = (l+x, b), which means the ⊕ relocation register has had its base value shifted by the value of x– E | R: which means the contents of the part of the memory which can be effected by the instruction– E | r = E’ | r x: for 0≤i≤b, E[l + i] = E’[l + x + i]⊕

Sensitive Instruction• Behavior sensitive (finally!)

– the effect of the executions depends on the value of the relocation-bounds register.

An instruction i is behavior sensitive if there exists an integer x and states:(a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x >,where(c) i(S1) = <e1 | r, m1, p1, r>,(d) i(S2) = <e2 | r ⊕ x, m2, p2, r ⊕ x >, and (e) neither i(S1) or i(S2) memory trap,such that either(a) e1 | r ≠ e2 | r x⊕ , or(b) p1≠ p2, or both.

Innocuous Instructions• The instructions which are neither privileged

instruction nor sensitive instructions.

Virtual Machine Monitor• VMM

a particular piece of software, called a control program, that exhibits certain

properties

Virtual Machine Monitor• Control program modules CP = <D, A, {vi}>

Control Program (CP)

Dispatcher (D)

Allocator (A) Interpreters

Dispatcher (D)

• top level module• decide which module

to call

Dispatcher (D)

• invoked by dispatcherwhen an attempted execution is to change the resources

Dispatcher (D)

• one interpreter routine per privileged instruction

• to simulate the effect of trapped instruction

Dispatcher (D)

• one interpreter routine per privileged instruction

• to simulate the effect of trapped instructions

• vi: set of interpretive routines

Virtual Machine Monitor• VMM properties

Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Virtual Machine Monitor• VMM properties

Recall Basic VM Concept…–three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

Now more formally...

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence:

Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real

machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

Virtual Machine Monitor• VMM properties (formally) 1) Equivalence (even more formally)– Two machines : S1 and S1' = f(S1)– “equivalent” iff: for any state S1, if the real

machine halts in state S2 ; then the virtual machine halts in state S2’ = f(S2)

Virtual Machine Map (VM MAP)

Virtual Machine Monitor• Virtual machine Map (VM Map)

f: Cr Cv is a one-one homomorphism w.r.t all the operators ei in the instruction sequence set I.

where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM.

The virtual machine map

Virtual Machine Monitor• VMM properties (formally) 2) Efficiency:

All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.

Virtual Machine Monitor• VMM properties (formally) 3) Resource control:

It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.

Outline• Basic VM Concepts• Formal Definitions• Virtualization Theorems• Conclusion

Visualization Theorem• THEOREM 1. For any conventional third

generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap

mechanisms• the instruction set is of general purpose to support

dispatcher, allocator, and table lookup procedure

which 1) means:to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM

which 2) guarantees:the resource control property, and equivalence property

which 3) provides:a simple technique for implementing a VMM, called trap-and-emulate virtualization

Visualization Theorem• THEOREM 2. A conventional third generation

computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

Visualization Theorem• THEOREM 2. A conventional third generation

computer is recursively virtualizable if it is: (a) virtualizable, and (b) a VMM without any timing dependencies can be constructed for it.

• Exceptions:1) programs with resource bound

–The theorem limits the number of nested VMMs of the recursion.

2) programs that have time dependencies

Visualization Theorem• THEOREM 3. A hybrid virtual machine monitor

may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.

may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user sensitive instruction: there exists a state S = (E, u, P, R) for which instructions i is

control sensitive or behavior

sensitive.

may be constructed for any conventional third generation machine in which the set of user sensitive instructions are a subset of the set of privileged instructions.user control sensitive: the definition given earlier for

control sensitivity holds, with ml in that definition set to user.

user behavior sensitive: the definition for locationsensitivity

holds with the mode of states S1 and S2 equal to user.

Contribution• A formal model of a 3rd generation computer

system • Necessary and sufficient conditions to

determine whether a particular 3rd generation machine can support a VMM

Reference• Gerald J. Popek and Robert P. Goldberg. 1974.

Formal requirements for virtualizable third generation architectures. Commun. ACM 17, 7 (July 1974), 412-421.

Formal Requirements for Virtualizable Third Generation Architectures

Documents

Formal Requirements for Virtualizable Third Generation ... · ACM Symposium on Operating Systems Principles, IBM Thomas J. Watson Research Center, Yorktown ... Virtual memory is just

Secure Computing Systems Design Through Formal … › papers › contracts.pdffrom instruction set architectures (ISAs) and memory subsystems to high level application programming

Software Architectures, Week 1 - Monolithic Architectures

Enterprise IT Architectures EA (Enterprise Architecture)...Enterprise Architecture is the formal organization (design or layout) of the components, structures and processes required

CSEP504: Advanced topics in software systems Software architecture: design-based –Formal reasoning about properties –Static vs. dynamic architectures Software

Formal Methods for Interactive Systems - di.unipi.itcerone/courses/fmis/course-slides/course-FMIS-08... · Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking

Web Application Architectures - STI Innsbruck · 2013-04-23 · • Web Application Architectures – Introduction • Software architectures • Architectures development • Patterns

Formal Requirements for Virtualizable Third Generation ...brewer/cs262/VM-requirements.pdfVirtual memory is just one possible ingredient in a virtual machine; and techniques such as

Seminar Softwarearchitektur · 2020. 7. 14. · Design architectures Document architectures Evaluate architectures Reconstruct architectures Communicate architectural decisions Benefit

Specific Targeted Research Project FLAVIA FLexible Architecture for Virtualizable ... · 2017. 4. 20. · FLAVIA FLexible Architecture for Virtualizable wireless future Internet Access

KU Leuven - COnnecting REpositories · 69 QoSA 2011 Architecture-based reliability evaluation under uncertainty ... 105 ECSA 2012 Reusable Formal Models for Secure Software Architectures

Formal Construction of Instruction Set Architectures

Formal Requirements for Virtualizable Third Generation Architectures Grad Operating System Mini-Project Authors: Gerald J. Popek, and Robert P. Goldberg

Formal Requirements for Virtualizable Third Generation

Software Architectures, Week 5 - Advanced Architectures

CS599 Formal Methods in Software Architectures 1 Temporal Examples in Rapide Mohammad Al Said Miheer Bhachech Aditya Garg

Memory Systems and Memory-Centric Computing …...Fundamentally Energy-Efficient Architectures Memory-centric (Data-centric) Architectures Fundamentally Low-Latency Architectures Architectures

Formal Requirements for Virtualizable Third Generation Architectures

VMware and CPU Virtualization Technologycourses.cs.vt.edu/.../Virtualization/...Technology.pdfvirtualization Hardware Assist Binary Translation Modify the guest OS to remove non-virtualizable

Formal Methods in Testing Software Architectures