CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI...
Transcript of CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI...
![Page 1: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/1.jpg)
CVF Client Virtualiza.on Framework
Ze’ev Maor
February 2009
![Page 2: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/2.jpg)
2
What is it?
a SoAware plaCorm designed for development, distribu.on and execu.on of
virtualiza.on based solu.ons
![Page 3: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/3.jpg)
In a nutshell
Hypervisor
3
Virtualiza.on Framework
Developer in VM (DomU)
Hardware
We are here
![Page 4: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/4.jpg)
4
Mo.va.on
• Endpoint virtualiza.on is here to stay • Unified plaCorm
• New paradigm requires new framework
• SoAware vendor doesn’t have to be virtualiza.on vendor
![Page 5: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/5.jpg)
5
Design principles
• Generic – hypervisor agnos.c • Robust – VM can only crash itself
• Security/isola.on – from full sharing to full isola.on
• Modular – supports 3rd party plug‐ins
![Page 6: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/6.jpg)
6
CVF system overview
VM mgmt Inter VM
communica.on Resource mgmt
UI services
Hypervisor
VM API
Device manager
Disk layout Networking
mgmt
End‐user interface machine – UIM (e.g. Windows as HVM)
CVF calls/data channel Secured inter VM communica.on
![Page 7: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/7.jpg)
Use case demo
Isolated An. Virus
7
![Page 8: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/8.jpg)
The challenge:
Conven.onal An.virus • Runs as a process inside Windows
• Can’t be completely isolated from other processes in Windows
• Vulnerable to viruses and malware infec.on • Vulnerable to updates DOS adacks
8
![Page 9: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/9.jpg)
The solu.on:
9
CVF powered An.virus • Runs on a separated VM side‐by‐side with Windows
• Completely isolated from Windows
• Completely immune to any viruses infec.ng Windows
• Has dedicated networking for updates
![Page 10: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/10.jpg)
Developer APIs
3/1/09 10
![Page 11: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/11.jpg)
11
APIs ‐ VM management
• VM crea.on
• VM deployment (VHD, VMDK, OVF)
• Signature verifica.on • VM start/stop/pause/resume
• Query VM status
• VM state triggers (date/.me, network, key sequence etc.)
• VM upgrades
![Page 12: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/12.jpg)
12
VM deployment
IT “push” Internet download Distributed media installa.on
Deployment steps:
• Retrieval into either • Local dir under UIM par..on
• Dedicated CVF master par..on
• Cer.fica.on – checksum, signature verifica.on • Execute VM supplied “deployment script” (uses CVF VM mgmt API) Endpoint hard‐drive
UIM na.ve fs (NTFS) VMs deployed under C:\VMs
UIM na.ve fs (NTFS) CVF par..on
Legacy P2V installa.on
Dedicated “CVF” installa.on
![Page 13: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/13.jpg)
13
APIs – Inter VM communica.on
• Cross VM, bi‐direc.onal messaging service
• Security features • Firewall • Arguments/payload sanita.on
• Payload signing
![Page 14: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/14.jpg)
14
APIs – UI integra.on services
• Full screen view/switching • “Synergy View” • Desktop fusion
![Page 15: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/15.jpg)
15
APIs ‐ Disk layout
CVF – disk layout manager
NTFS Physical par..ons
Virtual block devices/par..ons
Physical block devices
NTFS Ext2 Ext3 Fat32
APIs: • Get free space • Enumerate disks • Allocate disk space
• Set disk as persistent/vola.le • Snapshots
![Page 16: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/16.jpg)
16
APIs – Networking services
• VM is assigned an IP by DHCP upon boot
• VM provides its’ host name as part of a VM XML configura.on file
• Control domain (Dom0) runs DHCP and DNS servers.
• Default topology is NAT. • In network PT mode – all traffic to external network routed through primary VM.
![Page 17: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/17.jpg)
17
APIs – Device Manager
Currently suppor.ng USB devices and op.cal drives
APIs:
• Enumera.on • Assign/unassign to VM
• Query (is_device_free/connected etc.) • Connect/disconnect no.fica.ons
![Page 18: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/18.jpg)
18
APIs – Trusted Compu.ng
Provides virtual TPM capabili.es to trusted VMs:
• Quo.ng PCR values • Signing payloads • Sealing payloads
![Page 19: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/19.jpg)
19
VM Introspec.on
Purpose: allows an external component to inspect and control the OS running inside a VM.
Func.onality: • Enumerate processes • Inspect processes memory space • Start/kill processes • Inspect/control system calls • Protect processes memory space
![Page 20: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/20.jpg)
CVF RPC mechanism
VM
3/1/09 20
Trust
boundary
User applica.on local call
Marshalling/unmarshalling
Transport: transmit‐>wait‐>receive
Dom0
RPC dispatcher
Marshalling/unmarshalling (sanita.on)
Transport:
Receive/transmit (firewall)
Call packet
Return packet
![Page 21: CVF Client Virtualizaon FrameworkCVF system overview VM mgmt Inter VM communicaon Resource mgmt UI services Hypervisor VM API Device manager Disk layout Networking mgmt End‐user](https://reader033.fdocuments.in/reader033/viewer/2022053001/5f05f1b67e708231d41581a4/html5/thumbnails/21.jpg)
Conclusion
• An.‐virus demo development .me: 2 days
• About 150 lines of code overall • Developer required no knowledge of virtualiza.on technologies