The past years there has been a strong move in the field of computing services towards usage of virtualization technologies. Virtualization allows the running of unmodified legacy applications on hardware platforms. This is realized through on-the-fly translation from one hardware instruction set to another with the assistance of a so-called hypervisor or Virtual Machine Monitor (VMM). A VMM runs in the most privileged mode in a system running a virtual machine and has full control over vital system resources. A VMM-based system not only allows instruction translation, but increased system utilization as multiple Virtual Machines (VMs) can run simultaneously on a single powerful hardware platform, opening for different business models and a business landscapes. This implies, for example, that existing services can rather easily be migrated into large computing clusters, often referred to as “the cloud”.
One drawback of this new flexibility is that it creates increased security risks. Systems which previously were physically isolated from each other, might nm on the same machine which may entail unwanted interaction between VMs running simultaneously on the same hardware.
Furthermore, when virtualized solutions are run on a service provider platform to service clients, an information gap is created since the clients does not have full insight in the execution of the VM, at the same time as the service provider does not have full insight in the applications running on the VMs. In reality, this is even more complex, since the application running on the VM can be owned by a third party and licensed to a client for a particular use.
When clients upload arbitrary code to a service provider's computer there is a considerable risk that clients upload code that by mistake malfunctions. Other risks include that the code or the clients' computers may have been compromised by hackers, rogue employees or competitors of the client etc. From the view of the service provider it is therefore of utmost importance that software which cannot fully be trusted to not damage the system is either prohibited from executing on the platform or supervised.
Virtual Machines typically use CPU support to isolate the effects of the clients' code to be inside limits. Typically, a CPU has multiple execution privilege levels, and higher privilege levels can configure the CPU to disallow lower privilege levels from executing certain instructions or accessing certain parts of the computer. This can be used to prevent a VM running in a low privilege level to access hardware.
However, some CPUs have insufficient hardware support for virtualization. To isolate a virtual machine on such a CPU, the VMM will have to scan through the VMs code and replace insufficiently handled functions with other instructions that transfer control back to the trusted and more privileged code base.
The hardware support provides the ability to trap individual memory accesses, and the execution of specific instructions, but not, for instance, on specific values in the instructions, such as when a value oversteps a certain limit, or when the sum of some values oversteps a limit. To enforce such a limit, every instruction that may modify either of the values involved must be trapped. Eventually, for increasingly complex limits, the bluntness of the built-in trigger conditions will lead to the need to trap almost every instruction. Trapping every instruction, or a large subset of all the instructions, is very costly, in particular on modern CPU architectures that rely heavily on code to execute in predictable straight segments. Without the ability to take advantage of pipelining, branch prediction, modern cache prediction and eviction schemes, each instruction can be slowed down in the order of 1000 times if it has to work against the design of the hardware. A consequence is that current hardware can only enforce rules that trigger on simple conditions, such as when the CPU accesses a particular memory area.
A complex rule, as opposed to a simple rule, depends on several things to occur or having occurred. For instance, one may want to enforce the rule of a software license that only permit a certain limited number of users, e.g. identified by entries in a list Such a rule may depend on the values in a data structure spanning multiple areas of the memory. To enforce a complex rule using state of the art methods, a VMM may have to investigate all instructions that modify the relevant memory locations. With only simple conditions available, the CPU will have to place simple and independent triggers on each of the memory locations in question, and the CPU will trigger exceptions on many occasions, when the complex rule is still only partially fulfilled.