Idle Speculations on Type 2 Hypervisors

Following Sun's purchase of Innotek - suppliers of the reasonably-fine VirtualBox Type 2 hypervisor - I've been thinking.

OK, so VirtualBox for OS X is still very much beta - shared folders don't work, and networking only works in NAT rather than Bridged mode - but it's still stable and full-featured enough for me to build a Solaris 10 Update 4 image on top of it, complete with Trusted Extensions. In short, "not bad at all" :-).

However, my thinking is taking me down an interesting line of reasoning. Our press release states that VirtualBox is primarily aimed at developers, so I can only hope and assume that one of the things we are going to do with it shortly in terms of enhancements, now we've acquired it, is thoroughly enhance and decorate it with DTrace probes and providers.

Here's where things potentially get fun - although I must first add, that all my musings in this regard, are currently hypothetical.

Consider a system running Solaris 10, or OS X, as a host OS.

Now run VirtualBox, on top of it.

Now run another DTrace-enabled OS, such as Solaris or OS X (again), in a VirtualBox as a guest OS.

Depending on the degree of complexity involved in VirtualBox, particularly regarding its memory management, I wonder whether it might be possible to DTrace activity in the guest OS from the host OS, potentially without the host OS knowing about it. Being able to do this, could have both good and bad repercussions:

The Good:

  • If, from the host OS, you could trap a guest OS' calls to fork() and exec(), you could potentially do Validated Execution for an OS at the hypervisor level, rather than within the OS itself. This not only potentially gives you much greater security - even root on a guest OS can't turn vaidated execution off - but it means that validated execution could potentially be made OS-heterogeneous.
  • You could use DTrace to supplant Solaris Audit, gathering audit information about OS activities at the hypervisor level, where nothing which happens at the OS level can touch it.
  • It would make for a great kernel-level debugging tool, where you might not necessarily want (or be able) to use DTrace within the OS itself.
The Bad:
  • All of a sudden, "Satan's Computer" becomes real. If you're root on the guest OS, you can still have All Manner of Strange Things happen in your environment, if your hypervisor is pwned, and there's nothing you can do about it. For example, if you take a look at Jon Haslam's posting on how DTrace can be used to read an environment variable for an arbitrary process, consider what DTrace might be able to do, in terms of changing the value of an environment variable, under the feet of the application. If you can make such a change without the app crashing, and such that it notices the new value, Life Gets Interesting.
Food for thought. Don't get me wrong, I'm not saying DTrace is bad - far from it - but certain OS-intrinsic capabilities can be considered sufficiently double-edged that the ability to use them at given levels in a virtualised environment, must be very carefully controlled...

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

davew

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today