1 / 59

Formal Requirements for Virtualizable Third Generation Architectures

Formal Requirements for Virtualizable Third Generation Architectures. Grad Operating System Mini-Project Authors: Gerald J. Popek , and Robert P. Goldberg Presented by: Yiji Zhang. Outline. Basic VM Concepts Formal Definitions Virtualization Theorems Contribution. Outline.

miach
Download Presentation

Formal Requirements for Virtualizable Third Generation Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Requirements for VirtualizableThird Generation Architectures Grad Operating System Mini-Project Authors: Gerald J. Popek, and Robert P. Goldberg Presented by: Yiji Zhang

  2. Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution

  3. Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution

  4. Basic VM Concepts VMM Hardware VM The virtual machine monitor • Virtual Machine (VM) • efficient, isolated duplicate of the real machine • the environment created by the virtual machine monitor

  5. Basic VM Concepts • Virtual machine monitor (VMM) • a piece of software • three properties: 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

  6. Outline Basic VM Concepts Formal Definitions Virtualization Theorems Contribution

  7. Formal Definitions • Three formal definitions • Model of 3rd generation machine • Instruction behavior • Virtual machine monitor

  8. Model of 3rd Generation Machine • Overview simplified conventional 3rd generation machine • with a processor • with linear, uniformly addressable memory • without I/O instructions • without interrupts • Machine behavior The machine can exist in any one of a finite number of states S, where S = <E, M, P, R>.

  9. Model of 3rd Generation Machine E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode P: program count Behavior of the computer: state (S)

  10. Model of 3rd Generation Machine R: relocation-bounds register • E: executable storage • word or byte addressed memory; • E[i]: contents of the ith unit of storage in E S=<E, M, P, R> M: processor mode P: program count Behavior of the computer: state-space (S)

  11. Model of 3rd Generation Machine E: executable storage R: relocation-bounds register S=<E, M, P, R> • M: processor mode • 2 types • supervisor (s) • user (u) P: program count Behavior of the computer: state-space (S)

  12. Model of 3rd Generation Machine E: executable storage R: relocation-bounds register S=<E, M, P, R> M: processor mode • P: program count • address relative to register; • index Behavior of the computer: state-space (S)

  13. Model of 3rd Generation Machine E: executable storage • R: relocation-bounds register R = (l, b) • relocation part l: absolute address • bound part b: absolute size of virtual memory S=<E, M, P, R> M: processor mode P: program count Behavior of the computer: state-space (S)

  14. Model of 3rd Generation Machine • Program status word (PSW) the contents of the triple <M, P, R> • used for other definitions and proof later • Instruction (i) a function from one set of states (C) to another. i: C  C e.g. i(S1) = S2 i(E1, M1, P1, R1) = (E2, M2, P2, R2)

  15. Model of 3rd Generation Machine Trap 1. Definition 2. Particular kind of trap

  16. Model of 3rd Generation Machine An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1] Trap 1. Definition

  17. Model of 3rd Generation Machine An instruction is said to trap if i(E1, M1, P1, R1) = (E2, M2, P2, R2) where E2[i] = E1[j], for 0<j<q E2[0] = (M1, P1, R1) (M2, P2, R2) = E1[1] 1. Save the current state 2. Pass control of a pre-specified routine by changing PSW Trap 1. Definition

  18. Model of 3rd Generation Machine if a + l ≥ q thentrap; if a ≥ b thentrap • Trap 2. Particular kind of trap: memory trap • caused by accessing an address which is over the bounds in relocation-bounds register R(l, b) or physical memory • micro-sequence: where a is the address to be accessed, l is relocation, q is the total size of memory, and b is the bound

  19. Formal Definitions • Three formal definitions • Model of 3rd generation machine • Instruction behavior • Virtual machine monitor

  20. Instruction Behavior • privileged instruction • sensitive instruction • control sensitive instruction • behavior sensitive instruction • innocuous instructions

  21. Instruction Behavior • privileged instruction • sensitive instruction • control sensitive instruction • behavior sensitive instruction • innocuous instructions

  22. Privileged Instruction Instruction i is privilegedifffor any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not. Definition

  23. Privileged Instruction • Definition • independent of the virtualization process the only difference Instruction i is privilegedifffor any pair of states S1 = <e, s, p ,r> and S2 = <e, u, p ,r> in which i(S1) and i(S2) do not memory trap: i(S2) traps and i(S1) does not. privileged instruction trap

  24. Instruction Behavior • privileged instruction • sensitive instruction • control sensitive instruction • behavior sensitive instruction • innocuous instructions

  25. Sensitive Instruction An instruction i is control sensitive if there exists a state S1 = <e1, m1, p1, r1>, and i(S1) = S2 = <e2, m2, p2, r2> such that i(S1) does not memory trap, and either: (a) r1≠r2, or (b) m1 ≠ m2, or both. • Control sensitive • control sensitive instructions: affect or potentially affect the control of VMM over recourses • no isolated condition codes or other complications by which instructions can interact

  26. Sensitive Instruction Behavior sensitive…

  27. Sensitive Instruction • Behavior sensitive… • First introduce new notations… • operator ⊕: r’ = r ⊕ x = (l+x, b), which means the relocation register has had its base value shifted by the value of x • E | R: which means the contents of the part of the memory which can be effected by the instruction • E | r = E’ | r ⊕ x: for 0≤i≤b, E[l + i] = E’[l + x + i]

  28. Sensitive Instruction An instruction i is behavior sensitive if there exists an integer x and states: (a) S1 = <e | r, m1, p, r>, and (b) S2 = <e | r ⊕ x, m2, p, r ⊕ x>, where (c) i(S1) = <e1 | r, m1, p1, r>, (d) i(S2) = <e2| r ⊕ x, m2, p2, r ⊕ x >, and (e) neitheri(S1) or i(S2) memory trap, such that either (a) e1 | r ≠ e2 | r ⊕ x, or (b)p1≠ p2, or both. • Behavior sensitive (finally!) • the effect of the executions depends on the value of the relocation-bounds register.

  29. Instruction Behavior • privileged instruction • sensitive instruction • control sensitive instruction • behavior sensitive instruction • innocuous instructions

  30. Innocuous Instructions The instructions which are neither privileged instruction nor sensitive instructions.

  31. Formal Definitions • Three formal definitions • Model of 3rd generation machine • Instruction behavior • Virtual machine monitor

  32. Virtual Machine Monitor VMM a particular piece of software, called a control program, that exhibits certain properties

  33. Virtual Machine Monitor Control Program (CP) Dispatcher (D) Interpreters Allocator (A) Control program modules CP = <D, A, {vi}>

  34. Virtual Machine Monitor Control Program (CP) • top level module • decide which module • to call Dispatcher (D) Interpreters Allocator (A) Control program modules CP = <D, A, {vi}>

  35. Virtual Machine Monitor Control Program (CP) • invoked by dispatcher • when an attempted execution is to change the resources Dispatcher (D) Interpreters Allocator (A) Control program modules CP = <D, A, {vi}>

  36. Virtual Machine Monitor Control Program (CP) • one interpreter routine per privileged instruction • to simulate the effect of trapped instruction Dispatcher (D) Interpreters Allocator (A) Control program modules CP = <D, A, {vi}>

  37. Virtual Machine Monitor Control Program (CP) • one interpreter routine per privileged instruction • to simulate the effect of trapped instructions Dispatcher (D) Interpreters Allocator (A) • vi: set of interpretive routines Control program modules CP = <D, A, {vi}>

  38. Virtual Machine Monitor • VMM properties Recall Basic VM Concept… • three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

  39. Virtual Machine Monitor Now more formally... • VMM properties Recall Basic VM Concept… • three properties (of VMM): 1) Equivalence: program run under the VMM = run on the original machine directly 2) Efficiency: statistically dominant subset of virtual processor's instructions be executed by real processor 3) Resource control: has complete control of resources

  40. Virtual Machine Monitor • VMM properties (formally) 1) Equivalence: Any program K executing with a control program resident, with two possible exceptions, performs in a manner indistinguishable from the case when the control program did not exist and K had whatever freedom of access to privileged instructions that the programmer had intended.

  41. Virtual Machine Monitor • VMM properties (formally) 1) Equivalence(even more formally) • Two machines : S1and S1' = f(S1) • “equivalent” iff: for any state S1, if the real machine halts in state S2; then the virtual machine halts in state S2’ = f(S2)

  42. Virtual Machine Monitor Virtual Machine Map (VM MAP) • VMM properties (formally) 1) Equivalence(even more formally) • Two machines : S1and S1' = f(S1) • “equivalent” iff: for any state S1, if the real machine halts in state S2; then the virtual machine halts in state S2’ = f(S2)

  43. Virtual Machine Monitor The virtual machine map Virtual machine Map (VM Map) f: Cr Cvis a one-one homomorphism w.r.t all the operators eiin the instruction sequence set I. where Cr is the set of possible states of the real machine without a VMM, and Cv is the set with VMM.

  44. Virtual Machine Monitor VMM properties (formally) 2) Efficiency: All innocuous instructions are executed by the hardware directly, with no intervention at all on the part of the control program.

  45. Virtual Machine Monitor VMM properties (formally) 3) Resource control: It must be impossible for that arbitrary program to affect the system resources, i.e. memory, available to it; the allocator of the control program is to be invoked upon any attempt.

  46. Outline Basic VM Concepts Formal Definitions Virtualization Theorems Conclusion

  47. Visualization Theorem THEOREM 1.For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

  48. Visualization Theorem • which implies all assumptions for: • relocation mechanisms, supervisor/user mode, and trap mechanisms • the instruction set is of general purpose to support dispatcher, allocator, and table lookup procedure THEOREM 1.For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

  49. Visualization Theorem which 1) means: to build a VMM it is sufficient that all instructions that could affect the correct functioning of the VMM always trap and pass control to the VMM THEOREM 1.For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

  50. Visualization Theorem which 2) guarantees: the resource control property, and equivalence property THEOREM 1.For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.

More Related