Numerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100 % binary compatibility at the expense of performance. Others sacrifice security or functionality for speed. Few offer resource isolation or performance guarantees; most provide only best-effort provisioning, risking denial of service. This paper presents Xen, an x86 virtual machine monitor which allows multiple commodity operating systems to share conventional hardware in a safe and resource managed fashion, but without sacrificing either performance or functionality. This is achieved by providing an idealized virtual machine abstraction to which operating systems such as Linux, BSD and Windows XP, can be ported with minimal effort. Our design is targeted at hosting up to 100 virtual machine instances simultaneously on a modern server. The virtualization approach taken by Xen is extremely efficient: we allow operating systems such as Linux and Windows XP to be hosted simultaneously for a negligible performance overhead — at most a few percent compared with the unvirtualized case. We considerably outperform competing commercial and freely available solutions in a range of microbenchmarks and system-wide tests.

Rights to individual papers remain with the author or the author's employer. Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein.

The goal of Denali is to safely execute many independent, untrusted server applications on a single physical machine. This would enable any developer to inject a new service into third-party Internet infrastructure; for example, dynamic content generation code could be introduced into content-delivery networks or caching systems. We believe that virtual machine monitors (VMMs) are ideally suited to this application domain. A VMM provides strong isolation by default, since one virtual machine cannot directly name a resource in another. In addition, VMMs defer the implementation of high-level abstractions to guest OSs, which greatly simplifies the kernel and avoids "layer-below" attacks. The main challenge in using a VMM for this application domain is in scaling the number of concurrent virtual machines that can simultaneously execute on it.

Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and time-intensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present...

Maintenance is the dominant source of downtime at high availability sites. Unfortunately, the dominant mechanism for reducing this downtime, cluster rolling upgrade, has two shortcomings that have prevented its broad acceptance. First, cluster-style maintenance over many nodes is typically performed a few nodes at a time, making maintenance slow and often impractical. Second, cluster-style maintenance does not work on single-node systems, despite the fact that their unavailability during maintenance can be painful for organizations. In this paper, we propose a novel technique for online maintenance that uses virtual machines to provide maintenance on single nodes, allowing parallel maintenance over multiple nodes, and online maintenance for standalone servers. We present the Microvisor, our prototype virtual machine system that is custom tailored to the needs of online maintenance. Unlike general purpose

Virtual machine monitors (VMMs) have enjoyed a resurgence in popularity, since VMMs can help to solve di#cult systems problems like migration, fault tolerance, code sandboxing, intrusion detection, and debugging. Recently, several researchers have proposed novel applications of virtual machine technology, such as Internet Suspend/Resume [25, 31] and transparent OS-level rollback and replay [13]. Unfortunately, current VMMs do not export enough functionality to budding developers of such applications, forcing them either to reverse engineer pieces of a black-box VMM, or to reimplement significant portions of a VMM. In this paper,

The monitoring of virtual machines has many applications in areas such as security and systems management. A monitoring technique known as introspection has received significant discussion in the research literature, but these prior works have focused on the applications of introspection rather than how to properly build a monitoring architecture. In this paper we propose a set of requirements that should guide the development of virtual machine monitoring solutions. To illustrate the viability of these requirements, we describe the design of XenAccess, a monitoring library for operating systems running on Xen. XenAccess incorporates virtual memory introspection and virtual disk monitoring capabilities, allowing monitor applications to safely and efficiently access the memory state and disk activity of a target operating system. XenAccess’ efficiency and functionality are illustrated through a series of performance tests and practical examples.

(NGSCB). The system provides high assurance computing in a manner consistent with the commercial requirements of mass market systems. This poses a number of challenges and we describe the system architecture we have used to overcome them. We pay particular attention to reducing the trusted computing base to a small and manageable size. This includes operating the system without trusting the BIOS, most devices and device drivers and the bulk of the code of mass market operating systems. Furthermore, we seek to strengthen access control and network authentication in mass market systems by authenticating executable code at all system layers. We have implemented a prototype of the system and expect the full system to be mass deployed. 1

Abstract Recent work on applications ranging from realistic hon-eypots to stealthier rootkits has speculated about building transparent VMMs- VMMs that are indistinguishablefrom native hardware, even to a dedicated adversary. We survey anomalies between real and virtual hardware andconsider methods for detecting such anomalies, as well as possible countermeasures. We conclude that build-ing a transparent VMM is fundamentally infeasible, as well as impractical from a performance and engineeringstandpoint.

With the increasB us of "Virtual Machines (VMs as vehicles thatist.O1 applications running on the se. hos: it is neces sce to devis techniques that enable multipleVMs tos hare underlying resP---P.B both fairly and e#ciently.To that end, one common approach is to deploy complexresex.0 management techniques in the hos0PO infras.B11---5P.ss55.s0P , inthis paper, we advocate the us ofs5O1:---.B1:---0:. in theVMs themsem es bas- on feedback about resPR:P us05 and availability. ConsRR0. tly, we define a "Friendly" VM (FVM) to be a virtual machine that adjus--- its demand forsr.05 res5101.B s o that they are both e#ciently and fairly allocated to competing FVMs.0[ h properties areens222 us5[ one of many provably convergent control rules s uch as AIMD.By adoptingthis dis tributed application-bas--- approach to res50P2 management, itis not necesR.B to makeasP0:.B:2--- about the underlying resderly nor about the requirements of FVMs competing for thes resR---.B::--- odemonsB::--- the elegance ands implicity of our approach, wepres[ t a prototype implementation of our FVM framework inUs50O[ de Linux (UML)---an implementation thatcons[0O ofles than 500lines of code changes to UML.Wepres5 t an analytic, control-theoretic model of FVM adaptation, which es------:.B0R5 convergence andfairnes propertiesRR2. B properties areals backed up with experimental res0[R usR0 our prototype FVM implementation. 1.