From Soma-notes
Jump to navigation Jump to search


  • Where does it fit in OS architecture?
  • Simply a procdess, so: [Image 1 goes here]
  • If a shell is running in QEMU, it is not seen from the regular terminal
  • Quite analogous to the J(ava) V(irtual) M(achine)

Virtual Machine Monitor

  • What do you emulate?
    • QEMU emulates everything (like PowerPC binaries for Intel x86 chip) [Image 2 goes here]
  • If data coming in is the Linux kernel, it expects to be run in supervisor mode, so QEMU has to emulate supervisor mode (otherwise cannot process privileged instructions)
  • If a program in user mode executes a privileged instruction, a software interrupt gets generated, and the kernel is called to look up the trap table
    • Example: division by zero
  • We would like to emulate any hardware we want; so, why not just dump code directly on the CPU without QEMU in-between?
    • Cannot do this, because regular Linux kernel will catch the interrupts
      • One possible way to get around this is to take out privileged instructions from binaries (essentially rewrite them)


  • The kernel's kernel [Image 3 goes here]

Ring Model

  • Unix only has two rings: kernel = 0, user = 3 [Image 4 hoes here]
  • If hypervisor runs in -1, we can run multiple operating systems on top of the hypervisor [Image 5 goes here]
  • The hypervisor is part of the mechanism that prevents pirated games from playing on the Play Station 3
  • Hypervisor does not really affect performance, because it is tacked onto the I/O part of system calls
  • Translating memory access from applications in user spaces means switching to kernel (supervisor), and then again from supervisor to hypervisor
  • If running multiple operating systems, hypervisor designates one operating system to be the host or root access
  • "Server consolidation" - using machines to the best of their abilities to conserve power

"Blue Pill"

  • When an attacker comes in, they have to run as a user process
  • To hide, try to modify kernel code to camouflage processes
  • Put security code in hypervisor - only good if attacker does not get there first
  • Apparently, Windows kernel can actually tell if it has been virtuatlized, because there is one process that cannot be changed - the clock, so determine virtualization by checking the timing of I/O and interrupts
  • "Halting problem"


  • How do we translate addresses? For some process, looking at address 2000 actually means looking at 8420
  • Every instruction accessing memory has to perform this translation
  • There exist tables that keep these - in page intervals (a pages is approximately a 4KB block)
  • MMU needs a cache (very fast) to keep these tables
  • MMU also requires a special kind of memory called associative memory (not like computers' main memory)
    • Content-based access, not address-based
  • TLB - translational lookaside buffer is the table with tags (directly on MMU), <64K
  • If the TLB misses, the kernel gets called
  • Locality of reference: for data and for code, can be spatial and temporal