Achieving virtualization trustworthiness using software mechanisms
Résumé
This paper presents the challenges of implementing a bare-metal hypervisor without using hardware virtualization features. This choice is dictated by two reasons:
(i) some processor do not include virtualization instructions,
(ii) in the context formal verification, the proof relies on good behavior of the hardware. Thus eliminating hardware features will let us have a more precise proof.
Implementing virtualization features in hardware is a complex work: the instruction set remains large, and despite of the documentation, some behaviors are not obvious, if not undefined. Moreover, doing this in software forces us to freeze the guest to perform work, decreasing performances. We implemented a software hypervisor that has the particularity to run the guest systems in privilege mode. Before that, the hypervisor dynamically analyze the guest code and runs it after setting breakpoints on sensitive instructions. To perform the analysis, we extracted the whole ARM and Thumb instruction set to identify sensitives instructions, which has to be handled by the hypervisor. In order to preserve acceptable performances, we only track code running on privileged mode.
Thus, guest kernel run at the same level of privileges as the hypervisor. We evaluated the performances of our approach using micro-benchmarks and macro-benchmarks to evaluate the impact of the process on a piece of code and on a whole system. The results show that, when running a guest that performs pre-emptive scheduling and running its tasks in user mode, our hypervisor performs with a reasonable overhead: from 0.3% to 15% overhead on several synthetic benchmarks. We finally provide several ideas for further optimization and a direction for future work.