Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

The Linux Foundation
The Linux Foundation

This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

1 of 11
Memories of a VM Funk Mihai Donțu, Engineering Manager, Bitdefender
Outline • 4.12 statistics • VMI on AMD • The 'Windows 10 RS4' event • The A/D bits conundrum • #VE / VMFUNC statistics with Citrix Hypervisor 8.0 • Intel Sub-Page Permission (SPP)
4.12 Statistics • Xen releases since 2017's summit: 4.9, 4.10, 4.11, 4.12 • 68 patches, 45 in 4.12 alone • 5 developers: Adrian Pop, Alexandru Isăilă, Petre Pîrcălabu, Răzvan Cojocaru, Vlad Ioan Topan
VMI on AMD • Basic vm_event support done • All PT-walks trigger a write NPT #PF • No Intel MTF-like support • Realtime-VMI is essentialy a "no-go"
The 'Windows 10 RS4' event • Huge slowdown due to frequent PT modifications • Worked-around with a tiny in-guest filter (injected) • Proper solution: #VE agent • 64bit only
The A/D bits conundrum • We need to emulate A/D bit updates • There are three methods: • Optimistic (PTE-level): • If accessed is unset, set it • If accessed is set, set dirty if PTE is writable • Using the emulator: perform a full guest PT walk and update A/D according to the current instruction • Single-step via MTF
• #VE / VMFUNC statistics with Citrix Hypervisor 8.0 Firefox Chrome Opening multiple pages in multiple tabs (Y: seconds)
• Intel Sub-Page Permission (SPP) • Controlled by VMCS and EPTE[61] • Write protection only • Sub-page size: 128 bytes • Protect OS structures smaller than 4K • Mostly read-only but live in pages written often • Typical candidates (Windows): driver objects, IDT, HAL dispatch table
Q & A
Thank you!
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

More Related Content

XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

  • 1. Memories of a VM Funk Mihai Donțu, Engineering Manager, Bitdefender
  • 2. Outline • 4.12 statistics • VMI on AMD • The 'Windows 10 RS4' event • The A/D bits conundrum • #VE / VMFUNC statistics with Citrix Hypervisor 8.0 • Intel Sub-Page Permission (SPP)
  • 3. 4.12 Statistics • Xen releases since 2017's summit: 4.9, 4.10, 4.11, 4.12 • 68 patches, 45 in 4.12 alone • 5 developers: Adrian Pop, Alexandru Isăilă, Petre Pîrcălabu, Răzvan Cojocaru, Vlad Ioan Topan
  • 4. VMI on AMD • Basic vm_event support done • All PT-walks trigger a write NPT #PF • No Intel MTF-like support • Realtime-VMI is essentialy a "no-go"
  • 5. The 'Windows 10 RS4' event • Huge slowdown due to frequent PT modifications • Worked-around with a tiny in-guest filter (injected) • Proper solution: #VE agent • 64bit only
  • 6. The A/D bits conundrum • We need to emulate A/D bit updates • There are three methods: • Optimistic (PTE-level): • If accessed is unset, set it • If accessed is set, set dirty if PTE is writable • Using the emulator: perform a full guest PT walk and update A/D according to the current instruction • Single-step via MTF
  • 7. • #VE / VMFUNC statistics with Citrix Hypervisor 8.0 Firefox Chrome Opening multiple pages in multiple tabs (Y: seconds)
  • 8. • Intel Sub-Page Permission (SPP) • Controlled by VMCS and EPTE[61] • Write protection only • Sub-page size: 128 bytes • Protect OS structures smaller than 4K • Mostly read-only but live in pages written often • Typical candidates (Windows): driver objects, IDT, HAL dispatch table