Users and/or systems often wish to observe low-level behavior of software. Indeed, such observations can play a role in a wide variety of useful systems and applications including for performance analysis, correctness checks, auditing, security behaviors, enforcement of security policies, etc. In many such systems and applications, a basic technique for observing behaviors is interposition, whereby an observer seeks to interpose on operations of interest performed by or for the observed software.
In systems that employ conventional virtualization technology, a virtual machine monitor (VMM), hypervisor or other software component typically provides a layer of indirection between a guest computation (e.g., a guest operating system) and underlying hardware. Often, such a layer is a useful locus for interposition mechanisms and creates opportunities for interposing on events that might otherwise be difficult to instrument due to their low-level nature. For example, instrumentation of events such as device operations, asynchronous interrupts, system calls, execution of particular instructions in a guest kernel, etc. can be simplified because, in a conventional virtualization system, these events pass through the control of the virtualization layer before being reflected into the guest. Accordingly, the virtual machine monitor (VMM) or hypervisor provides an attractive instrumentation point for systems and applications that wish to observe low-level software behavior.
As virtualization technologies have gained in popularity and market penetration, hardware-assist mechanisms have been developed with the goal of enhancing performance and/or capabilities of virtualization systems and/or simplifying virtualization system implementations. Some of these mechanisms introduce specific hardware features and/or support into processor designs and instruction set architectures. For example, both Intel Corporation and Advanced Micro Devices, Inc. have introduced processor designs with hardware support for processor (CPU) virtualization. Support in Intel processor designs is typically promoted as Intel Virtualization Technology (Intel VT-x™) and was formerly known by the code-name “Vanderpool,” while support in AMD designs is typically promoted as AMD Virtualization (AMD-V™) or Secure Virtual Machine (SVM) technology and was at one time known by the code-name “Pacifica.” Intel VT-x and AMD-V are trademarks of the respective entities.
Unfortunately, some of these hardware-assist mechanisms tend to limit the opportunities for, and efficacy of, interposition techniques that have previously been employed in a VMM or hypervisor. In particular, some events that may have been comparatively easy to interpose upon when the VMM or hypervisor acted as an intermediary and executed guest code (e.g., directly or in dynamically-translated form) on underlying hardware, may be completely opaque to traditional virtualization-based interposition techniques. For example, system calls, faults, and in some cases, interrupts can all occur without visibility to the VMM or hypervisor in virtualization systems that build upon hardware mechanisms to initiate guest computation sequences and/or manage guest state information.
Accordingly, improved and/or alternative methods are desired.