Lecture: Dune

Dune: Safe User-level Access to Privileged CPU Features, OSDI 2012

Questions

Question

Why is it safe for Dune to expose privileged instructions to applications? Specifically, how can Dune prevent a malicious process from overwriting the memory of the Linux kernel/another process (e.g., by modifying %CR3 or the page table)?

Question

Dune provides speedup for handling traps and garbage collection, as shown in Section 6.2/Table 3. We have seen similar benchmarks in the exokernel paper. Compare the techniques used in both systems and briefly describe the pros/cons.

Question

Consider the following approach that doesn’t use EPT at all: let Dune expose %CR3 as read-only (i.e., a Dune process can read but cannot modify the value of %CR3), map page-table pages as read-only, and in addition provide a vmcall to modify entries in the page table. Is this safe? If so, is it slower or faster than Dune’s approach?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

why reading this paper
- IX (OSDI’14), Shinjuku (NSDI’19)
- see Google’s gvisor
- research paradigm
  - writing a new OS is hard (e.g., features, adoption)
  - hacking Linux is hard (e.g., upstream, complexity)
  - Dune provides a nice design point
- source code: kern, libdune
why virtual machines
- 60-70s: better use of expensive machines
- 80s: mostly OSes
- 90s: desktop virtualization
- cloud, business model driven (another trend: containers/datacenter OSes), security monitors
- this paper: repurposing virtual machine instructions
terminology
- host, guest
- host can be baremetal or an OS
- VMM (virtual machine monitor), hypervisor
- tagged TLB: PCID, VPID
- Intel VMX (VT-x), AMD SVM (AMD-V)
goals
- fidelity: (almost) identical to execution on hw
- performance: low overhead
- safety: isolation, mutiplexing
- compare approaches: language VM, emulation, trap-and-emulate (e.g., run kernel in user mode)
classically virtualizable ISA
- trap-and-emulate
- sensitive instructions ⊆ privileged instruction (Popek-Goldberg)
- x86 (before vmx/svm)
  - not virtualizable: 17 sensitive, unprivileged instructions
  - example: pushf/popf/iret behave differently in user mode
  - except for v8086
- virtualize x86 without vmx/svm
  - idea: modify the guest code to avoid the 17 instructions
  - binary translation (e.g., VMware)
    - goal: replace the 17 instructions with trapping ones (e.g., int $3)
    - challenge: how to do this efficiently
  - paravirtualization (e.g., Xen)
    - originally from the Denali isolation kernel (OSDI 2002)
    - replace the 17 instructions in guest kernels with hypercalls
- vmx/svm extensions: virtualizable
  - root/non-goot mode for existing rings
  - key data structure: VMCS/VMCB (control & state)
    - pros/cons for the CPU to mandate the data structure
    - what about processes/enclaves?
  - CPU: either trap or duplicate state
  - memory: EPT/NPT
    - figure 2 of the dune paper is simplied
    - see two-dimensional page walk
    - page faults vs EPT faults: both can go to either guest or host depending on configuration
  - I/O devices
  - transitions
    - VM entry: host to guest
    - VM exit: guest to host
    - hypercalls: VMCALL/VMMCALL cause VM exits
    - overhead: 4000 (older)–500(newer) cycles (syscalls: 60-70 cycles)
    - guess why the overhead and how Intel/AMD might improve
  - draw KVM workflow, discuss overhead
- nested virtualization
- other designs: ARM (EL2), RISC-V (used to have H-mode, now closer to x86)
Dune’s goal
- talk
- process absraction for privileged instructions
  - sharing
  - performance
- Dune process mode
  - ring 0, non-root
  - use hypercalls as syscalls
  - performance pros: extra bits on the page table (e.g., hw dirty bits), fast exception-handling path
  - performance cons: hypercalls, VM exits, EPT overhead
  - what kinds of applications beneift from this?
applications
- exception handling
  - traditional flow
  - CPU delivers page faults to a Dune process directly
  - no context swithces: handle page faults in the process
- sandbox
  - syscall filtering
  - compare to chroot/seccomp
- garbage collection
  - use dirty bits to track if memory has been touched
  - better page table management & TLB control
discussions
- what’s the correctness/safety of Dune (or hypervisor in general)
- write a separate OS within Linux (not in this paper)
- how to implement fast communication between two Dune processes
- generality