A Featherweight Virtual Machine for Windows Applications

1
A Feather-weight Virtual Machine for Windows
Applications

• Speaker Susanta Nanda
• Other Co-authors Yang Yu, Fanglu Guo,
• Lap-chung Lam, Tzi-cker Chiueh
• Computer Science Department
• SUNY at Stony Brook

VEE06
2
VM as a Playground

• Try out new applications
• Realistic environment similar/identical to the
  host
• Isolated Execution
• Malicious code
• Environment modifications configuration,
  libraries
• Possibly commit the installation to the host
  system if the application is found OK
• Essential Building block for Fault/Intrusion
  Tolerant Systems

VEE06
3
Virtualization Approaches to support Playground
machines

• Hardware virtualization
• Cumbersome to initialize a VM with current host
  environment while maintaining isolation
• Committing modifications is tough as the
  information available is too low-level
• Application Virtualization
• Does not virtualize all system components, e.g.
  network interface, kernel objects, GUI components
• IPC confinement is not good enough
• OS-level Virtualization suits better

VEE06
4
Feather-weight Virtual Machine

• Goals
• Fast cloning of the host environment
• One-way isolation
• Low overhead
• Windows Platform
• Approach OS-level virtualization on Windows
• Namespace virtualization at the system call level
• Resource sharing file system, OS kernel,
  registry,
• Copy on Write to isolate modifications
• IPC confinement semaphore, mutant, event, window
  message,

VEE06
5
FVM Approach
VM1 Apps
VMn Apps
Host Apps
VIRTUALIZATION LAYER
OS EXECUTIVE
OS KERNEL
DEVICE DRIVERS
HARDWARE
VEE06
6
Similar Systems

• Unix-like OS
• FreeBSD Jail, Linux VServer, Solaris Containers,
  Virtuozzo, Trigence AE, Meiosys, MobiDesk,
  Alcatraz
• Windows OS
• Virtuozzo, PDS, Softricity, AppStream, Thinstall,
  GreenBorder,

7
Main Challenges for FVM

• Too many different types of namespaces
• Files, registries, objects, mailslots, named
  pipes, IP address, desktop (container for
  windows),
• Sophisticated IPC mechanisms
• kernel objects events, sections, port (LPCs),
• window messages
• Service (daemon) management
• Virtualizing desktop applications
• GUI applications
• Network server applications

8
FVM Components

• File Virtualization
• Prefix VM id to the path
• Copy on Write on the VM-specific root directory
• Virtualize device files mailslots, named pipes,
  etc.
• Enumeration merge directory entries (private and
  host)
• Log deleted/renamed files
• Registry
• Similar to file
• Copy keys and values of first-level children to
  avoid complicated merge for enumeration (lookup
  by index)
• Object
• mutex, event, semaphore, timer, shared memory,
  ports,
• Global objects (created by system daemons) not
  virtualized

9
FVM Components contd

• Desktop Virtualization
• Window messages
• Window visibility
• Services (Daemons)
• Service control manager
• Service database
• Network interface
• IP aliasing
• Bind() Transparently replace IP address within a
  VM by its own IP address

10
FVM Virtualization Layer
Host application
VM application
VM application
FVM virtualization layer (user mode)
Network address
Daemon (service)
Window management
System Libraries
user mode
kernel mode
FVM virtualization layer (kernel mode)
File I/O
Process/ Thread
Sync Object
Registry DB
Windows NT Executive
11
VM state

• VM id
• Private root file system
• Private root registry
• Private root object directory
• Delete/rename log file, registry
• Policy resource quota, network access, directory
  filter
• IP address (optional)

12
A VM Container
VM policy
Proc-1
Proc-2
Proc-3
read access
VM IP address
write access
Delete/ Rename Log
?-File
?-Registry
?-Object
Created and modified

• Dir command ?-File U (Host.File) - DeleteLog

13
VM operations

• CreateVM/DeleteVM
• CopyVM, ConfigureVM
• StartVM/StopVM
• SuspendVM/ResumeVM
• Suspends threads, zeroes working set size,
  application windows are made invisible
• CommitVM
• Overwrite host states by a stopped VM states
• Selective and automatic commit
• Analyze side effects before committing
• Suspicious updates warning

14
Evaluation

• Effectiveness
• Multiple application instances
• Updates isolation file and registry
• Small overhead VM creation, disk space
• Limitations
• Sharing through kernel
• User-space boot components sharing
• Easy to distinguish real from virtual

15
Performance System Call Overhead
16
Performance CoW Overhead
17
Performance Relative Comparison
18
Applications

• Secure mobile code execution
• Vulnerable network applications
• Web browsers, Email clients,
• Study vulnerability in applications
• Automatic Sandboxing
• Committed files are marked and invoked inside VMs

19
Conclusion

• A light-weight OS-level virtualization on Windows
• Small overhead/resource requirement
• Fast cloning of host environment
• Synchronization between VM and host
• State isolation
• Applications
• intrusion tolerance, application streaming

20
A Feather-weight Virtual Machine for Windows
Applications

• Thank You