Tag Archives: xen project

A Recap of the Xen Project Developer and Design Summit: Community Health, Development Trends, Coding Changes and More

We were extremely thrilled to host our Xen Project Developer and Design Summit in Nanjing Jiangning, China this June. The event brought together our community and power users under one roof to collaborate and to learn more about the future of our project. It also gave us the opportunity to connect with a large group of our community who is based in China. We’ve seen a steady stream of Xen Project hypervisor adoption in this region.

If you were unable to attend the event, we have recordings of the presentations, and we also have the slideshares from the presentation available. Please check them out!

During our event, we always start with a weather report on the Xen Project. It covers areas that we are improving upon, where we need more support, and also the potential direction of the project. This blog covers information from the weather report as well as next steps and focus areas for the project.

Community Health
Code commits for the hypervisor have on average grown by 11% YoY since 2014. Commits in the first 5 months of 2018 have grown 11% compared to the same period last year. The top 6 contributors to the project since 2011 have been Citrix, Suse, AMD, Arm, Intel, Oracle. This is also true for the last 12 months in which 90% of contributions came from the top 6 players.

However, we have seen a larger than normal volume of contributions from Arm and AMD, which contributed twice as much as in previous years. In addition, EPAM is establishing itself on the top table with first contributions and a significant number of code reviews.  In addition, AWS started to make first significant code contributions in 2017.

Hardware security issues had an impact on the code review process of the project and thus on the project’s capability to take in some code. In other words, x86 related development that was not directly attributed to hardware security issues were slowed down, because developers normally reviewing contributions had less bandwidth to do so.

This has forced the community to make some changes that are starting to have a positive effect: x86 developers across companies are collaborating more and better, meaning that hardware security issues in 2018 had a smaller impact on the community than those in 2017.

Innovation and Development Trends
Unikraft, a Xen Project sub-project, is on a healthy growth projection. Unikraft aims to simplify the process of building unikernels through a unified and customizable code base. It was created after Xen Project Developer and Design Summit 2017.

The project recently upstreamed a significant amount of functionality, including:

  • Scheduling support, better/more complete support for KVM/Xen/Linux. Supporting Xen/KVM allows Unikraft to cater to a larger set of potential users/companies. Linux user-space provides an excellent development environment: Unikraft users can create their Unikraft unikernels as a Linux executable, use Linux’s wide range of debugging and performance optimization tools, and when done simply re-compile as a KVM or Xen unikernel (work on creating x86/Arm bare metal images is ongoing).
  • A release of newlib (a libc-like library) and lwip (a network stack: This support allows Unikraft to compile with most applications. It is a basic requirement to support a potentially wide range of applications.
  • The project is beginning to pick up traction with contributions coming from companies like NEC, Arm, and Oracle.

For more information check out the following two presentations: Unikraft and Unikraft on Arm.

We have been re-writing the x86 core. We are working on adding complex new CPU hardware features such as support for NVDIMMs and SGX. In addition, we are working on making technologies that have been used by security-conscious vendors in non-server environments ready to be used in server virtualization and cloud computing; support for measured boot is an example.

Another key innovation is a project called Panopticon, which aims to re-write some portions of the hypervisor to make Xen resilient to all types of side-channel attacks by removing unnecessary information about guests from the hypervisor.

You can find presentations related to these topics here (x86 evolution) and here (side-channel attacks and mitigations).

Continued Growth in Embedded and Automotive
We are seeing continued contributions within the embedded and automotive space to Xen Project Core with new features and functionality, including:

  • Co-processor (GPU) sharing framework enabling virtualization of co-processors such as FPGAs, DRMs, etc.
  • 2nd generation Power management and HPM on Arm  – this enables a huge reduction in power consumption, which is significant for some embedded market segments.
  • RTOS based Dom0 and code size reduction – this reduces the cost of safety certification significantly and is important for market segments where safety certification is important (such as automotive, avionics, medical, etc). We already managed to get Xen code size on Arm to below 45K SLOC and we expect that Dom0 will also be below 50K SLOC. This makes it possible to safety certify a Xen based stack to DAL C ASIL-B/C standards at a cost equivalent to less than 10 years.
  • Improved startup latency to boot multiple VMs in parallel from the device tree – this opens up the use of Xen to small IoT and embedded devices and allows booting of a complete Xen system in milliseconds compared to seconds. In addition, it halves the cost of safety certifications for systems where a Dom0 is not necessary

You can see the progress of our re-architecture in our latest release, Xen Project hypervisor 4.11. Also, the following summit presentations were relevant: here (Xen and automotive at Samsung) here (CPUFreq) and here (Real-time support).

These are just a few features and updates that make it easier for Xen to be used in embedded environments and market segments where safety certification is relevant. In addition, this will also significantly improve BoM and security in other market segments. On x86 we are also reducing code size, but this is significantly harder because of backward compatibility guarantees for x86 hardware and older operating systems.

Conclusion
The event was a great success with a lot of community and technical topics, like “How to Get Your Code Into Xen” and “The Art of Virtualizing Cache Maintenance.” Find the playlist for the full conference here. Additionally, our design sessions focused on architecture, embedded and safety, security, performance, and working practices and processes. You can find what was discussed, and next steps with these areas on our wiki.

If you want to stay abreast of where and when the Xen Project Developer and Design Summit will be held next year, follow us on Facebook and Twitter.

Improving the Stealthiness of Virtual Machine Introspection on Xen

This blog post comes from Stewart Sentanoe of the University of Passau. Stewart is a PhD student and he was recently a Google Summer of Code Intern working on the Honeynet Project. 

Project Introduction

Virtual Machine Introspection

Virtual Machine Introspection (VMI) is the process of examining and monitoring a virtual machine from the hypervisor or virtual machine monitor (VMM) point of view. Using this approach, we can get the untainted information of the monitored virtual machine. There are three main problems with VMI currently:

  • Semantic gap: How do you interpret low level data into useful information?
  • Performance impact: How big is the overhead?
  • Stealthiness: How to make the monitoring mechanism hard to be detected by the adversary?

This project focused on the third problem, and specifically on how to hide the breakpoint that has been set. We do not want the adversary to be able to detect whether there is a breakpoint that has been set to some of the memory addresses. If they are able to detect the breakpoint, most likely the adversary will not continue the attack and we will learn nothing. By leveraging VMI, we are able to build high interaction honeypot where the adversary can do whatever they want with the system. Thus, we can gather as much information as we can and we get the big picture of what’s going on in the system and learn from it.

Setting a Breakpoint Implemented by Drakvuf

DRAKVUF is a virtualization based agentless black-box binary analysis system developed by Tamas K Lengyel. DRAKVUF allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual machine used for analysis (https://drakvuf.com and https://github.com/tklengyel/drakvuf).

There are two ways to set a breakpoint implemented by DRAKVUF using INT3 (0xCC opcode) and Xen altp2m.

These are the following steps by DRAKVUF to inject breakpoint using INT3:

  1. Inject 0xCC into the target
  2. Mark pages Execute-only in the EPT (Extended Page Tables)
  3. If anything tries to read the page:
    1. Remove 0xCC and mark page R/W/X
    2. Singlestep
    3. Place 0xCC back and mark page X-only
  4. When 0xCC traps to Xen
    1. Remove 0xCC
    2. Singlestep
    3. Place 0xCC back

Sounds good right? But, there is a big problem when INT3 is used.

To make the breakpoint mechanism work well with multiple vCPUs, DRAKVUF uses Xen altp2m. At the normal runtime of a VM, each guest’s physical memory (GFN – Guest Frame Number) will be mapped one to one to the machine (host) physical memory (MFN – Machine Frame Number) as shown in the image below.

Next, to set a breakpoint, DRAKVUF will copy the target page to the end of the guest’s physical memory and add the trap there. DRAKVUF will also make an empty page (the purposes will be explained later) as shown below.

Now, during the runtime, the pointer of the original target will be switched h to the copy page as shown below and marked as execute only.

If a process tries to execute those pages, it can simply switch the pointer back to the original, single step and then switch the pointer to the copy page again. You might be thinking that if an adversary is able to scan “beyond” the physical memory, the adversary will detect a page that contains the copy. This where the empty page kicks in, whenever a process tries to read or write to the copy page, DRAKVUF will simply change the pointer to the empty page as shown below.

Sounds cool doesn’t it? Of course it is! But, there are several problems with this process, which led to this GSOC project. The sections below will cover them piece by piece.  

Problems of DRAKVUF

There are three problems that I found out during this project:

  1. There’s a M:1 relation between the shadow copy and the empty page, which means that if we set breakpoints to two addresses, it will create two shadow copy and only one empty page.
  2. If an adversary is able to write “something” to a shadow copy, the “something” will also appear on the other shadow copy which can raise their suspicious level.
  3. The current implementation of DRAKVUF will use ’00’  for the empty page, but the real behaviour never been observed.

Proposed Milestones

There are two milestones for this project:

  1. Create a proof of concept (kernel module) that detects the presence of DRAKVUF by trying to write “something” to one of the shadow copy and probe the second shadow copy to check the existence of the “something”
  2. Patch DRAKVUF

The Process and the Findings

At the beginning of this project, I had no idea how to read the memory beyond the physical address space, but then I found this article which describes a function (ioremap) that I used for my kernel module (available here). The drawback is that it requires some debug information generated by DRAKVUF, for example the address of the shadow copy.
https://gist.github.com/scorpionzezz/d4f19fb9cc61ff4b50439e9b1846a17a

When I executed the code without the writing part, I got this: https://gist.github.com/scorpionzezz/6e4bdd0b22d5877057823a045c784721

As expected, it gave me empty result. Then, when I wrote “something” to the first address which in this point is letter ‘A’ (in hex is 41). The ‘A’ also appears on the second address: https://gist.github.com/scorpionzezz/ce6623f1176e99de61617222ceba462a

Bingo! Something fishy there. Alright, then I tried to print more addresses: https://gist.github.com/scorpionzezz/22bdb3c727dd130bb59b28cf717d9bac

Did you see something weird there? Yes, the ‘FF’, actually the empty is ‘FF’ instead ’00’. So actually, an adversary does not need to write “something” to the empty page, it just simply detects if there are ’00’ then it reveals the presence of DRAKVUF.

But where is the ‘FF’ comes from? Architecturally, all physical addresses defined by CPUID EAX=80000008h bits 15-8 (more here) are considered “valid” In Linux, it checks the address validity when it sets up the memory page table (see here). It is up to the firmware to tell the OS and the hypervisor what range are valid with the E820 map (see here). When a process requests a memory address that is not valid (assuming the new page table is made), it goes through the Memory Management Unit (MMU) and then Platform Controller Hub (PCH). The PCH tries to find the valid physical memory but could not found it then, if it involves write, the written value will be ignored and if it involves read, it will return all 1s. This behaviour is written into this (page 32) Intel document and anyway VMI (for now) just works on Intel processor.

Alright, now time to fix this.

First is pretty easy where I just write ‘FF’ to the shadow page: https://gist.github.com/scorpionzezz/9853d836b38b82c2961c1d437390c8a3

It solved the simple problem. But now let’s talk about the bigger problem about the writing. The idea is to simply ignore write attempt to the shadow page and also to the empty page. For both cases, we can use features provided by Xen, which emulate the write. Sounds easy, but actually there was another problem: LibVMI (library that used by DRAKVUF) does not support the write emulation flag, so I needed to patch it up (see here).

Alright, now I check whenever a process tries to write to the shadow copy, then just do the emulation: https://gist.github.com/scorpionzezz/3a12bebdd43d5717d671136f0fc0069c

Now, we also need to add TRAP to the shadow copy so we can also do emulation whenever a process tries to write to it. https://gist.github.com/scorpionzezz/763cd6b9f257105f2941e104cf6f2d8e

Now every time a process tries to write to either the empty page and the shadow copy, the written value will be not “stored” in the memory. Thus, it hides DRAKVUF better.

Conclusion

This project increases the stealthiness level of DRAKVUF. With a high level of stealthiness, it opens up the potential for a new generation honeypots, intrusion detection systems and dynamic malware analysis where it will be hard for the adversary to detect the presence of the monitoring system.

Acknowledgement

Thanks to Tamas K Lengyel and Varga-Perke Balint you rock! Thank you for your help and patience. Thank you also for Benjamin Taubmann for the support and of course Honeynet and Google for GSOC 2018 🙂

 

 

Summer = Xen Project Internships!

We received a lot of amazing submissions for our summer Outreachy internship program and have accepted Dafna Hirschfeld to join us in creating new execution targets for Unikraft. Unikraft is a Xen Project incubation project that aims to simplify the process of building unikernels through a unified and customizable code base.

Currently, Unikraft supports building images that can be executed as a virtual machine on Xen and KVM, and as an ELF binary within the Linux user space environment. Support for more execution targets is done by providing more platform libraries that can be chosen during build. Dafna will be fairly free to choose a platform, perhaps based on familiarity or curiosity. Examples for platform choice include bare-metal, ARM, X86_64, VMware, Microsoft Hyper-V, and bhyve.

If you are unfamiliar with Outreachy, it provides three-month internships for people from groups traditionally underrepresented in tech. Interns work remotely with mentors from Free and Open Source Software (FOSS) communities. Xen Project interns have later gone on to work at companies like Oracle, Google and Citrix.

In addition to Outreachy, we are excited to announce a few new interns that will be working on the Xen Project hypervisor through Google Summer of Code. Although the Xen Project was not a mentoring organisation for Google Summer of Code this year, FreeBSD and The Honeypot Project were and had a number of Xen Project related projects. Google Summer of Code is a global program focused on bringing more student developers into open source software development.

Interns that are a part of the Google Summer of Code and working on pushing Xen Project technologies forward include:

  • Kristaps Civkulis who will be working on enabling the EFI loader to load FreeBSD Xen Dom0. There are two parts to the project – you can learn more about it here. The organization supporting this is the FreeBSD Project.
  • Pratyush Yadav who will import the Xen grant-table bus_dma(9) handlers from OpenBSD. FreeBSD Project is supporting Pratyush.
  • Lele Ma who will Port LibVMI to Xen MiniOS. In this project, the core functionalities of the LibVMI will be ported to Xen MiniOS. After ported, Xen MiniOS will have the basic capabilities of introspecting the memory of other guest virtual machines. Honeynet Project is supporting Lele.
  • Honeynet Project is also supporting Stewart Sentanoe who is working on stealth monitoring with Xen altp2m based on previous work that has been done – see here. And Ulrich Fourier who is working on adding support for ARM introspection, which is a follow-up to a 2016 GSoC project that developed altp2m support to Xen on ARM.

Working in open source is a great way to start your career in technology. In a recent survey from HackerRank 84% of respondents (including CEOs, CTOs and company founders) said they look to an applicant’s GitHub project work as an indicator of a prospective employee’s on-the-job skills.

We want to thank everyone who applied to our Outreachy scholarship, and look forward to sharing the accomplishments of our interns. Welcome to open source!

 

Xen Project Contributor Spotlight: Kevin Tian

The Xen Project is comprised of a diverse set of member companies and contributors that are committed to the growth and success of the Xen Project Hypervisor. The Xen Project Hypervisor is a staple technology for server and cloud vendors, and is gaining traction in the embedded, security and automotive space. This blog series highlights the companies contributing to the changes and growth being made to the Xen Project and how the Xen Project technology bolsters their business.

contemporary-1850469_1920

Name: Kevin Tian
Title: Principal Engineer of Open Source Technology Center
Company: Intel

When did you join the Xen Project and why/how is your organizations involved?
My journey with Xen Project has been ~13 years now (since 2005), with a focus on hardware-assisted virtualization using Intel® Virtualization Technology (Intel® VT). I’m acting as the maintainer for VT-x/VT-d sub-system in the Xen Project community. The Xen Project is the first open source virtualization project embracing Intel® VT and is a leading community in demonstrating new hardware virtualization features.

How does your involvement benefit your company?
Working with open source communities can definitely bring great value to the whole ecosystem around new technologies, which Intel debuts every year. For example, being the pioneer on Intel® VT, the success in the Xen Project accelerated the market transition from software-based virtualization (binary translation, para-virtualization, etc.) to hardware-assisted virtualization (HVM, PVH, etc.). Hardware-assisted virtualization helps with reduced maintenance overhead, full guest OS compatibility, and better performance.

How does the Xen Project’s technology help your business?
The ecosystem built around the Xen Project is definitely helpful in generating demand of Intel servers (with Intel® VT).

What are some of the major changes you see with virtualization and the transition to cloud native computing?
While virtualization technology has become the fundamental building block in the Cloud, there is still a major gap regarding I/O capabilities when comparing virtualized environment to bare metal. Although network and storage virtualization has been in place for years, efficient virtualization and sharing of new booming accelerators (GPU, NVMe, FPGA, QAT, etc.) are still not widely available. The ceiling of what cloud-native computing can achieve could be severely limited, if disconnected from powerful accelerators existing in the physical server.

What advice would you give someone considering joining the Xen Project?
The Xen Project is possibly one of the most successful open source virtualization projects in the world. The mature community and rich features accumulated in the decade plus the project has been in existence has provided a strong foundation to save you time either in developing a value-add business or exploiting new virtualization research.

What excites you most about the future of Xen?
I’m excited by the fact that the Xen Project keeps embracing new innovations, e.g. PVH, XenGT, etc., and penetrating new markets.

What’s New with Xen Project Hypervisor 4.8?

I’m pleased to announce the release of the Xen Project Hypervisor 4.8. As always, we focused on improving code quality, security hardening as well as enabling new features. One area of interest and particular focus is new feature support for ARM servers. Over the last few months, we’ve seen a surge of patches from various ARM vendors that have collaborated on a wide range of updates from new drivers to architecture to security.

We are also pleased to announce that Julien Grall will be the next release manager for Xen Project Hypervisor 4.9. Julien has been an active developer for the past few years, making significant code contributions to advance Xen on ARM. He is a software virtualization engineer at ARM and co-maintainer of Xen on ARM with Stefano Stabellini.

This release also marks the start of our first 6-month release cycle. Despite the shorter timeframe and putting more thorough security processes in place, we have maintained development momentum for Xen Project Hypervisor.

We’ve also worked with the Debian community to bring Xen Project Hypervisor 4.8 to the upcoming release (codename “Stretch”).

Here are the categories with updates to highlight in 4.8

  • Hypervisor General
  • Hypervisor x86
  • Hypervisor ARM
  • Toolstack
  • Xen Project Test Lab
  • Misc.

Hypervisor General

  • Credit2 scheduler is now supported: Compared to the default Credit scheduler, the Credit2 scheduler is more scalable and better at supporting latency sensitive workloads such as VDI, video and sound delivery, as well as unikernel applications. Credit2 is still based on a general purpose, weighted fair share, scheduling algorithm unlike some of the more specialized Xen Project schedulers such as RTDS and ARINC653.
  • Domain creation time optimisation: An optimisation to TLB flush is introduced to greatly reduce the number of flushes needed during domain creation. This has lead to the reduction of domain creation time for very large domains (with hundreds of gigabytes of RAM) from a few minutes to tens of seconds.
  • XSM policy is refactored and cleaned up: XSM policy files are refactored and cleaned up so that they are better organised and easier to understand. If configured, we can also now attach the in-tree default policy to Xen binary, so there is no need to load the default policy via boot loader.
  • Live Patching hook support: Live Patching is now able to look for the “hooks” section in the payload and execute code from there. This update gives the patch author more control in modifying data and code.

Hypervisor x86

  • CPUID faulting emulation: This makes CPUID fault in HVM userspace program without hardware support.
  • PVCLOCK_TSC_STABLE_BIT support: This greatly improves user space performance for time related syscalls.
  • Intel AVX-512 instructions support: These instructions offer higher performance for the most demanding computational tasks. They represent a significant leap to 512-bit SIMD support. This enables processing of twice the number of data elements that AVX/AVX2 can process with a single instruction and four times that of SSE.
  • PVH v2 DomU ABI is stabilised: The DomU guest ABI for PVH v2, without PCI passthrough support, is stabilised. Guest operating system developers can start porting OSes to this mode, which is simpler and gives them all the goodies that hardware and software provide.

Hypervisor ARM

  • Xen Project 4.8 ARM DomU ACPI support is now able to build ARM64 guests with ACPI support, such as Red Hat Enterprise Linux Server for ARM Development Preview (available via Partner Early Access Program). It can also run unmodified Xen on ARM.
  • Alternative patching support: This enables the hypervisor to apply workarounds for erratas affecting the processor and to apply optimizations specific to a CPU.
  • Live Patching initial support: Live Patching now supports both ARM32 and ARM64 platforms.
  • Support for Xilinx® Zynq® UltraScale+â„¢ MPSoC: Xen Project Hypervisor 4.8 comes with support for the Xilinx Zynq UltraScale+ MPSoC making it much easier for Xilinx customers to integrate Xen into their solution.

Toolstack

  • Split out and re-license libacpi: The code inside hvmloader to construct guest ACPI tables is split out as a separate library libacpi, which is now shared across x86 and ARM. The code is re-licensed from GPL to LGPL.
  • HVM USB passthrough: It is now possible to passthrough USB devices to HVM guests with the help of QEMU.
  • Load BIOS via libxl: It is now possible to provide arbitrary BIOS binary to the guest making it easier to integrate and test Xen.
  • Libxl device handling framework: The device handling code inside libxl is reworked so that it is more extensible and easier to maintain.

Xen Project Test Lab

  • XTF is integrated into OSSTest: XTF is a micro-VM based test framework. It is now integrated into OSSTest and gates pushing patches to all supported Xen branches. This would help the project identify functional and security regressions more easily and quickly.

Misc.

  • Mini-OS ported to PVH v2: With the stabilization of PVH v2 DomU ABI, we are now confident to port mini-os to that mode. This would serve as an example to port guest OSes to PVH v2, as well as a foundation to more interesting micro-VM based work like building stub domains. The latter (stub domains) is a differentiator to other hypervisors, and could greatly enhance the security and scalability of Xen Project Hypervisor.
  • Mini-OS now supports ballooning up: Ideally, a service domain would need to dynamically adjust the memory it consumes, either voluntarily or via obeying command from hypervisor. This is an important feature to make Mini-OS based service domains more flexible in terms of memory consumption, which is one step towards that goal. Support for ballooning down Mini-OS is under development.

Summary

Despite the shorter release cycle, the community developed several major features, and found and fixed many more bugs. It is also rather impressive to see multiple vendors collaborate on the Xen Project Hypervisor to drive multiple projects forward. Major contributions for this release come from ARM, BitDefender, Bosch, Citrix, Freescale, Intel, Linaro, Oracle, Qualcomm, SUSE, Star Lab, the US National Security Agency, Xilinx, Zentific, and a number of universities and individuals.

Over the last year, contributors with strong security and embedded backgrounds have joined the Xen Project allowing us to  continue to focus on performance and flexibility without sacrificing security and reliability. Xen Project Hypervisor continues to move forward thanks to amazing efforts from companies developing products based on the hypervisor, such as XenServer 7 and Bitdefender Hypervisor Introspection, and novel new developments with Live Patching and Virtual Machine Introspection.

In this release, we took a security-first approach and spent a lot of energy to improve code quality and harden security. This inevitably slowed down the acceptance of new features a bit, but not enough to reach meaningful balance between mature security practice and innovation.

On behalf of the Xen Project Hypervisor team, I would like to thank everyone for their contributions (either in the form of patches, bug reports or packaging efforts) to the Xen Project. Please check our acknowledgement page, which recognizes all those who helped make this release happen.

The source can be located in the http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.8 tree (tag RELEASE-4.8.0) or can be downloaded as tarball from our website. More information can be found at

Xen Project Maintenance Releases Available (Versions 4.6.4 and 4.7.1)

I am pleased to announce the release of Xen 4.6.4 and 4.7.1. Xen Project Maintenance releases are released in line with our Maintenance Release Policy. We recommend that all users of the 4.6 and 4.7 stable series update to the latest point release.

Xen 4.6.4

Xen 4.6.4 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6
(tag RELEASE-4.6.4) or from the Xen Project download page http://www.xenproject.org/downloads/xen-archives/supported-xen-46-series/xen-464.html

Xen 4.7.1

Xen 4.7.1 is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.7
(tag RELEASE-4.7.1) or from the Xen Project download page http://www.xenproject.org/downloads/xen-archives/supported-xen-47-series/xen-471.html

These releases contain many bug fixes and improvements. For a complete list of changes, please check the lists of changes on the download pages.