[cap-talk] Userspace virtual machine for running guest code

[Jack Lloyd]

On Sun, Nov 30, 2008 at 05:08:21AM +0000, Baldur Johannsson wrote:
> h'lo cap-talk
> I recently came across the vx32 user space virtual machine library
> that enables an host application to run untrusted x86 quest code.
> The homepage for the vx32 library is http://pdos.csail.mit.edu/~baford/vm/
> could this help running legacy code on capability based operating
> systems like KeyKos, Eros and Capros?

It certainly seems so!

One limitation of vx32 is that it can only execute 32-bit x86 code,
due to its reliance on x86 segment registers which are removed by AMD
when they designed the x86-64 ISA.

Recently I have been using kvm (http://kvm.qumranet.com/kvmwiki) which
is a lightweight VM system for Linux which relies on the
virtualization instructions added to recent Intel and AMD processors
(it has also recently been ported to S/390, PowerPC, and IA-64). It
can run full unmodified operating systems (I have been using it with
32-bit XP and 64-bit FreeBSD) at near native speeds (though I'm not
sure about how well graphics-intensive applications like games do).
The /usr/bin/kvm binary is not setuid or setgid, the only special
access required was to give myself read/write access to /dev/kvm which
is a character device through which the userspace kvm binary interacts
with some trusted kernel code. Mediating RPC-like operations between
an untrusted application and a trusted object seems like a problem
that capability systems handle well.

One cost of kvm-like system for a capability OS is the need for some
additional kernel/ring 0 code since many of these virtualization
instructions are privledged. Of course if increasing the lines of code
in the TCB by even 10% allowed full backwards compatability and makes
the difference between a capability-based OS being widely adopted and
not, it could well be worth the cost (in some threat models, anyway).

-Jack