A Choices Hypervisor on the ARM Architecture Rishi Bhardwaj, Russell Greenspan, Vijay Nori, Phillip Reames, Ercan Ucan March 15, 2006

1
A Choices Hypervisor on the ARM
ArchitectureRishi Bhardwaj, Russell Greenspan,
Vijay Nori, Phillip Reames, Ercan Ucan March
15, 2006
2
Outline

• ARM7 Architecture
• Why virtualization?
• The VMX Approach to Hypervisors
• Whats a sensitive instruction?
• Contributions (Midterm Goals)
• List of ARM7 sensitive instructions
• Modifications to QEMU
• Testing mechanism
• Future Work

3
ARM7 Architecture

• 6 basic operating modes (1 user, 5 privileged)
• 37 registers, all 32 bits wide
• 1 program counter
• 5 dedicated saved program status registers
• 1 Current program status register
• 30 general purpose registers
• r13 (stack pointer), r14(link register), r15
  (program counter, PC)

4
ARM7 ISA Important Instructions

• Branch and Branch with Link (B, BL)
• Data Processing Instructions (AND, TST, MOV )
• Shifts logical (LSR), arithmetic (ASR), rotate
  (ROR)
• Test (TEQ, TST, CMP, CMN)
• Processor Status Register Transfer (MSR, MRS)
• Memory Load/Store words (LDR, STR)
• Push/Pop Stack Operations (STM, LDM)
• Software Interrupt (SWI) (causes mode switch)
• Coprocessor (CDP, LDC, STC, MRC, MCR)

5
Need for Virtualization

• Run multiple OSes in secure, isolated
  environments using shared hardware
• Reduce OS idle time by consolidating multiple OS
  workloads on one physical machine
• Reduce total number of servers
• Run untrusted applications and unverified code in
  secluded spaces

6
VMX Approach

• Add two new sets of operations VMX root and non
  root
• Root-only instructions when executed in non-root
  mode trap to VMM
• VMM emulates sensitive instruction in root mode
• Virtual Machine Control Structure (VMCS)
• Handles jump in and out of root mode
• Special instructions (like syscalls) modify VMCS.

7
Sensitive Instruction

• An instruction which executes differently in user
  and supervisor modes (with the same bit pattern)
  e.g. STM
• Hypervisor needs to track the mode of the VM in
  order to correctly execute this instruction.
• Thus, QEMU must trap on this instruction to
  hypervisor
• A privileged instruction e.g. SWI
• Hypervisor must check if VM is in privileged mode
  and fail the request otherwise.

8
List of ARM7 Sensitive Instructions

• MRS Moves PSR status/flags to register.
• MSR Moves register to PSR status/flags.
• TEQ (in TEQP form) Test bitwise equality
• STM Stores Multiple registers to stack (push)
• LDM Loads multiple registers from stack (pop)
• BX Branch with exchange, Switches processor mode
  to Thumb
• SWI Software Interrupt

9
List of ARM7 Sensitive Instructions(2)

• LDC Load coprocessor register from memory
• STC Store coprocessor register to memory
• MRC Move coprocessor register to CPU register
• MCR Move CPU register to coprocessor register
• CDP Coprocessor-specific data processing
  instruction
• BL Branch with Link
• B Branch

10
QEMU Basics

• Open source processor emulator
• Uses dynamic translation.
• Unlike VMWare or Win4Lin, emulates the CPU
• Thus more portable, secure, stable
• Supports ARM integrator/CP(1026E)
• Has two modes
• Full System emulation
• User mode emulation

11
QEMU Basics(2)

• Full System Emulationemulates a full system(a
  PC) including one or several processors and
  various peripherals.
• We are running Choices in this mode
• User mode Emulation can launch Linux processes
  compiled for one CPU on another CPU.
• We have small modules to test the changes that we
  have made

12
QEMU Basics (3)

• Dynamically Translates each ARM instruction into
  group of corresponding x86 instructions
• Block of ARM instructions translated together
  in one go.
• SWI, Branch etc. make up Block boundaries.
• Generated x86 code for each ARM Block is
  executed before next Block translation begins.

13
Changes to QEMU

• Transfer control from Guest OS to Hypervisor
  whenever we encounter a sensitive instr.
• When running in Guest OS mode we treat
  (translate) sensitive instructions same as SWI
  with small modification.
• We trap into the Hypervisor, with the information
  on what sensitive instr was tried.

14
Related Work

• Software-based Hypervisors
• TRANGO
• Run guest OSes in CPU-user mode for best possible
  security
• Jaluna
• Run multiple OSes in CPU-kernel mode, allowing
  fast cross-OS communication
• ARMs TrustZone
• Hardware-based support for complete process
  isolation

15
Future Work

• Trapping mechanism in place, next implement the
  validation of sensitive instructions executed in
  the hypervisor.
• Test performance of the Choices Hypervisor
  (measure overhead) with a standard benchmark
  suite.
• Optimize the system to incur less overhead to
  validate all sensitive instructions

16
References

• 1 J.Robin, C.Irvine, Analysis of the Intel
  Pentium's ability to Support a Secure Virtual
  Machine Monitor'', In Proceedings of the 9th
  USENIX Security Symposium, Denver, CO, USA, pages
  129-144, Aug 2000.
• 2 QEMU technical documentation,
  http//fabrice.bellard.free.fr/qemu/qemutech.html\
  SEC1
• 3 ARM7 data sheet
• http//www.mit.edu/afs/sipb/contrib/doc/specs/ic/c
  pu/arm/ARM710avD.pdf
• 4

17

• Thank you for your attention!