[cap-talk] Virtual Machine Based Rootkits

Mark S. Miller markm at cs.jhu.edu
Thu Sep 14 01:36:25 CDT 2006 

Bill Frantz wrote:
> donnelley1 at webstart.com (Jed at Webstart) on Thursday, August 3, 2006 wrote:
> 
>> My understanding is that all it
>> takes to be "fully virtualizable" is to have all privileged operations
>> trap in "user" mode.
> 
> [Sorry to be so late replying.  I've been traveling.]
> 
> Having all privileged operations trap in "user" mode is necessary but
> not sufficient.  On some Intel architectures, there were instructions
> that executed differently in privileged mode and in user mode.  If I
> remember correctly, some extra information was returned in privileged
> mode.  To be fully virtualizable, these instructions would also have to
> trap.  I would say an additional criteria is, "All user mode
> instructions must have the same specification in both privileged and
> user mode."

Section 10.4 of my thesis summarizes the classic paper on this topic:


Popek and Goldberg's "Formal Requirements for Virtualizable
Third Generation Architectures" [PG74] explains the
conditions needed for a hardware architecture to be cleanly
virtualizable. First, they divide the instruction set into
*privileged* and *non-privileged* instructions. For an
instruction to be considered privileged, it must trap if executed in
user mode, so that it can be emulated by a virtual machine
monitor. Then they separately divide instructions into
*innocuous* and *sensitive*. Sensitive instructions are
further divided into *control sensitive* and *behavior
sensitive*, though an instruction can be sensitive in both ways.

Control sensitive instructions can cause an effect outside the
program's addressable space---its address space and its normal
register set. Behavior sensitive instructions are those which can be
affected by state outside the program's addressable space,
i.e., it enables the program to sense external state, such as
an instruction for reading the clock. An architecture is considered to
be cleanly virtualizable if all sensitive instructions are privileged,
i.e., if all non-privileged instructions are innocuous. An
example which makes their distinctions clear is an instruction which
does something when executed in privileged mode, but acts as a noop,
rather than trapping, when executed in user mode. Since it doesn't
trap, it is a non-privileged instruction. Since its behavior depends
on the privilege bit, it is a behavior sensitive instruction. A
machine with such an instruction is not cleanly virtualizable.


[PG74] Gerald J. Popek and Robert P. Goldberg. Formal Requirements for 
Virtualizable Third Generation Architectures. Communications of the ACM,
17(7):412{421, 1974.


-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list