INTERPOSITION METHOD SUITABLE FOR HARDWARE-ASSISTED VIRTUAL MACHINE

US 20100299665A1
Filed: 05/19/2009
Published: 11/25/2010
Est. Priority Date: 05/19/2009
Status: Active Grant

First Claim

Patent Images

1. A method of interposing operations in a computational system that includes a virtualization system executable on an underlying hardware processor that natively supports one or more instructions that transition between host and guest execution modes, the method comprising:

introducing a hooked vector into a supervisor register block of the hardware processor, wherein the hooked vector displaces a system call handler vector otherwise set by a guest computation to activate a system call handler;

read and write protecting at least the hooked vector containing portion of the supervisor register block;

initiating execution of a code sequence of the guest computation on the hardware processor using one of the instructions that transition between the host and guest execution modes thereof, wherein the code sequence includes a system call and wherein upon initiation of the system call, the hardware processor transfers execution to a substitute handler in accordance with the hooked vector; and

responsive to execution of the substitute handler, initiating a hooked operation and transferring control to the system call handler.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention is a method of interposing operations in a computational system that includes a virtualization system executable on an underlying hardware processor that natively supports one or more instructions that transition between host and guest execution modes. The method includes introducing a hooked vector into a supervisor register block of the hardware processor, wherein the hooked vector displaces a system call handler vector otherwise set by a guest computation; read and write protecting at least the hooked vector containing portion of the supervisor register block; initiating execution of a code sequence of the guest computation on the hardware processor using one of the instructions that transition between the host and guest execution modes thereof, wherein the code sequence includes a system call and wherein upon initiation of the system call, the hardware processor transfers execution to a substitute handler in accordance with the hooked vector; and responsive to execution of the substitute handler, initiating a hooked operation and transferring control to the guest system call handler.

Citations

24 Claims

1. A method of interposing operations in a computational system that includes a virtualization system executable on an underlying hardware processor that natively supports one or more instructions that transition between host and guest execution modes, the method comprising:
- introducing a hooked vector into a supervisor register block of the hardware processor, wherein the hooked vector displaces a system call handler vector otherwise set by a guest computation to activate a system call handler;
  
  read and write protecting at least the hooked vector containing portion of the supervisor register block;
  
  initiating execution of a code sequence of the guest computation on the hardware processor using one of the instructions that transition between the host and guest execution modes thereof, wherein the code sequence includes a system call and wherein upon initiation of the system call, the hardware processor transfers execution to a substitute handler in accordance with the hooked vector; and
  
  responsive to execution of the substitute handler, initiating a hooked operation and transferring control to the system call handler.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - introducing the substitute handler into the guest computation as a loadable kernel module.
  - 3. The method of claim 1, further comprising:
    - restoring the system call handler vector in the supervisor register block; and
      
      thereafter, reintroducing the hooked vector, wherein the restoring and reintroducing are performed dynamically in response to respective hypercalls.
  - 4. The method of claim 1, wherein the supervisor register block includes at least a particular one of:
    - a model-specific register;
      
      a control register;
      
      a virtual machine control block (VMCB); and
      
      a virtual machine control store (VMCS), in which the hardware processor ordinarily encodes a system call handler vector.
  - 5. The method of claim 1,wherein the initiation of the hooked operation and control transfer to the system call handler are performed integrally and non-interruptably.
  - 6. The method of claim 1,wherein the hooked operation includes execution of either or both of pre- and post-system-call code.
  - 7. The method of claim 1, further comprising:
    - executing the hooked operation within an execution context of the guest computation.
  - 8. The method of claim 1, further comprising:
    - performing a hypercall from an execution context of the guest computation and executing the hooked operation within an execution context of the virtualization system.
  - 9. The method of claim 1, further comprising:
    - responsive to an attempted read access to a portion of the control register that codes the substitute handler vector and in connection with servicing of a related protection fault by the virtualization system, supplying the system call handler vector from a guest vector store accessible to the virtualization system.
  - 10. The method of claim 1, further comprising:
    - responsive to an attempted write access to a portion of the control register that codes the substitute handler vector and in connection with servicing of a related protection fault by the virtualization system, updating a guest vector store accessible to the virtualization system.
  - 11. The method of claim 1,wherein the control register includes a model-specific register (MSR) of the hardware processor.
  - 12. The method of claim 1, wherein the hooked operation instruments a subset of system call events relative to one of more of:
    - performance monitoring;
      
      execution correctness or auditing;
      
      a security behavior; and
      
      policy enforcement.
  - 13. The method of claim 12, further comprising:
    - selecting the instrumented subset of system call events in response to a hypercall.

14. A virtualization system adapted for execution on a hardware processor that provides hardware-assistance for virtualization using a native instruction executable on the processor to initiate a guest execution mode for direct execution of code associated with a guest computation, the virtualization system configured to selectively interpose on system calls initiated by the guest computation using:
- (i) a hooked vector introduced into a supervisor register block of the processor, displacing a system call handler vector otherwise set for the guest computation to activate a system call handler; and
  
  (ii) a substitute handler introduced into the guest computation code as a loadable kernel module, the substitute handler executable to initiate a hooked operation and to transfer control to the system call handler, wherein the virtualization system spoofs operative content of a system call handler vector coding of the model-specific register based on protection faults serviced by the virtualization system.
- View Dependent Claims (15, 16, 17)
- - 15. The virtualization system of claim 14,embodied as software encoded in one or more computer readable media and executable on an underlying physical machine that includes the hardware processor and the supervisor register block.
  - 16. The virtualization system of claim 14, operatively combined with a physical machine that includes the hardware processor and the supervisor register block.
  - 17. The virtualization system of claim 14,embodied as software instantiated in memory of a physical machine that includes the hardware processor and the supervisor register block, the instantiated software executable on one or more processors of the physical machine.

18. A computer program product embodied in one or more computer readable media and comprising:
- program code executable on a physical machine to implement a virtualization system that exports at least one virtual machine to a guest computation; and
  
  substitute handler code introducible as a loadable kernel module of the guest computation and executable to initiate a hooked operation and to transfer control to a system call handler of the guest computation,the program code including initialization code executable in response to a hypercall from the guest computation to introduce into a supervisor register block of the physical machine a hooked vector that identifies the substitute handler code and displaces a vector to the system call handler otherwise set for the guest computation and to spoof operative content of the supervisor register block based on protection faults serviced by the virtualization system.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The computer program product of claim 18,wherein the substitute handler code includes a hypercall that transfers control from an execution context of the guest computation to the virtualization system.
  - 20. The computer program product of claim 18,wherein the initialization code read and write protects at least the hooked vector containing portion of the supervisor register block.
  - 21. The computer program product of claim 18,wherein the hooked operation instruments a subset of system call events relative to one or more of performance monitoring, execution correctness or auditing, a security behavior, and policy enforcement.
  - 22. The computer program product of claim 21,wherein the program code implements a hypercall interface whereby the guest computation may select the instrumented subset of system call events.
  - 23. The computer program product of claim 18, wherein the computer readable media are selected from the set of a disk, tape or other magnetic, optical or electronic storage medium.
  - 24. The computer program product of claim 18, at least transiently encoded in the one or more computer readable media in connection with transmission via a network, wire line, wireless or other communications medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
ADAMS, Keith

Granted Patent

US 9,195,487 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/4806   Task transfer initiation or...

G06F 9/4812   by interrupt, e.g. masked

INTERPOSITION METHOD SUITABLE FOR HARDWARE-ASSISTED VIRTUAL MACHINE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

INTERPOSITION METHOD SUITABLE FOR HARDWARE-ASSISTED VIRTUAL MACHINE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links