Abstract: In this paper we develop a model which represents the addressing of resources by processes executing on a virtual machine. The model distinguishes two maps: the o-map which represents the map visible to the operating system software running on the virtual machine, and the f-map which is invisible to that software but which is manipulated by the virtual machine monitor running on the real machine. The o-map maps process names into resource names and the f-map maps virtual resource names into real resource names. Thus, a process running on a virtual machine addresses its resources under the composed map f o o. In recursive operation, f maps from one virtual machine level to another and we have f o f o ... o f o o.The model is used to describe and characterize previous virtual machine designs. We also introduce and illustrate a general approach for implementing virtual machines which follows directly from the model. This design, the Hardware Virtualizer, handles all process exceptions directly within the executing virtual machine without software intervention. All resource faults (VM-faults) generated by a virtual machine are directed to the appropriate virtual machine monitor without the knowledge of processes on the virtual machine (regardless of the level of recursion).

Abstract: Security is an important factor if the programs of independent and possibly malicious users are to coexist on the same computer system. In this paper we show that a combined virtual machine monitor/operating system (VMM/OS) approach to information system isolation provides substantially better software security than a conventional multiprogramming operating system approach. This added protection is derived from redundant security using independent mechanisms that are inherent in the design of most VMM/OS systems.

Abstract: In the early 1960's two major evolutionary steps were taken with regard to computing systems architecture. These were the emergence of I/O processors and the use of multiprogramming to improve resource utilization and overall performance. As a consequence of the first step computing systems became multiprocessor configurations where nonidentical processors could have access to the common main memory of the system. The second step resulted in several computational processes sharing a single processor on a time-multiplexed basis while vying for a common pool of resources.

Abstract: This paper summarizes the preliminary design of a computer system with a recursive, virtual machine architecture and gives a brief account of the considerations leading to that design . In this system, each process operates in its own address space, called its virtual memory, and can create other processes within its space and pass control to them. The newly create d processes can, recursively, create their own descendants without the knowledge or assistance of a supervisor. There is no “privileged” or “supervisor” state; protection is provided entirely by the virtual memory mechanism, and each interrupt is directed by hardware to the process designated to handle it. Virtual memories are segmented; moreover, paging is treated as a recursive application of segmentation and can occur at any level. The machine architecture encourages modular and hierarchical approaches to program design because of the high degree of protection afforded by the creation of new virtual memories at low cost.

Abstract: The architecture of the DEC PDP-10 prohibits using standard methods to construct a virtual PDP-10 on it. However, by simulating all executive-mode instructions and in rare cases user-mode instructions, a “hybrid” virtual machine may be constructed. Building on such a simulator and an operating system with hierarchical process relationships, the author has easily constructed a prototype virtual machine.

Abstract: This paper describes the techniques used to implement an efficient virtual machine facility within MTS for the IBM System/360 Model 67. The goals of the project were to support the IBM Operating System, including the Indexed Sequential Access Method and Teleprocessing capabilities, as a subsystem under MTS with a maximum teleprocessing degradation of 30% for OS/360 programs and complete protection between OS/360 and MTS. The first attempt, using channel program relocation similar to that employed by CP-67, provided unacceptable response to teleprocessing requests which required indexed accesses to the data base. The second attempt obviated the need for most software relocation of channel programs by assuring that the OS/360 buffer areas and channel programs were allocated to main storage having addresses identical to their virtual addresses. Storage protection was accomplished by a hardware change to the IBM System/360 protection mechanism which created a two-level hierarchy of storage keys. Using these techniques the virtual machine met the goals of the project. The techniques employed are applicable to virtual memory systems other than MTS and the IBM System/360 Model 67

Abstract: Our concern is the ability of the computing system to ensure that data under its control is accessed only in accordance with the explicit intention of the owner of the data, as expressed in the directory or access control table of the system.We intend to use VM/370 as the base system for a study of how the security of data may be compromised. Our goal for this study is to be better able to evaluate different types of hardware and software system architectures with regard to their ability to provide security.

Abstract: This paper discusses the design of a virtual memory mechanism for use as the first level of an operating system The virtual memory mechanism provides a virtual machine which retains many of the properties of the host computer system An implementation on the PDP-11/45 is briefly described

Abstract: The subjects of virtual machines and emulators have been treated as entirely separate. The purpose of this paper is to show that they have much in common. Not only do the usual implementations have many shared characteristics, but this commonality extends to the theoretical concepts on which they are based; the concepts of memory mapping and I/O operation simulation are discussed to emphasize this. The paper then discusses structural issues, and points out why the question of instruction set is becoming less valid as a point of distinction between the concepts. Possible combinations of virtual machines and emulators are discussed. In conclusion, it is recommended that workers in both fields keep the relationship between the two in mind.

Abstract: This paper is a brief summary of the impact that architecture extensions to hardware and software have upon the design and performance of software Hypervisors that are intended to provide the extended function in a virtual machine environment.

Abstract: It has been demonstrated that virtual machines can be successfully implemented on large computer systems. They can also be implemented on small computer systems (“mini-computers”). The paper will show this, and at the same time discuss the various architectural features by which virtual machine implementation is achieved.Examining features which make machines “small”, we find architectural limitations. These machines are usually byte or word addressable where the virtual address space bound is the word size. They usually rely on indexing and indirect addressing. Most instructions are one word long. The instruction repetoire is not particularly rich. There is a simple I/O structure with facilities for hardware interrupts and direct memory access (block I/O transfers).In summary, small virtual machines are effective for software development of systems having one or more of the following characteristics:• shared facilities• no common operating system• user I/O programming•communications control•process control•fictitious I/O devices

Abstract: Development of a multi-access system from an existing single-user system can be achieved by the virtual machine approach. If the virtual machines generated include as primitives the logical functions used by the single-user system activated on them, these extended virtual machines are able to support the single-user system at a decreased development, maintenance and running cost.

Abstract: The concept of allowing the computer user to modify the virtual machine being emulated by a microprogram controlled computer is not new. Schemes for implementing this typically include the definition of a standard virtual machine (the base machine) in read-only control storage, and the provision of some writable memory to contain user-written microroutines for the duration of the user job. Alternation of a computer instruction set by the temporary addition of microroutines to the system repertoire for emulation of new instructions is known as dynamic user microprogramming.

Abstract: We describe here the features and the implementation of a system that collects information about the activity of the virtual machines generated by CP-67.This system can collect information about CPU usage and I/O activity of the virtual machine without interfering with its operation and without knowing what the system running in the virtual machine is doing. In this sense it behaves like an hardware monitor behaves on a real machine, and hence has been called Virtual Hardware Monitor (VHM).VHM provides a general tool that can be used by any virtual machine. The information it provides, eventually used in connection with those provided by other systems that monitor the total activity of CP-67, can lead to a better knowledge of the load of CP-67 and to an improvement in the performance of CP-67 itself and in the performance of the various virtual machines.

Abstract: The behavior of a system running in one virtual machine (OBJECT) is made accessible to an external observer through another virtual machine (SPY) coupled to the previous one. Given the independence of virtual machines, it is possible to run in SPY a fully operational system to which suitable components are added in order to achieve integration and debugging of new systems in OBJECT.

Abstract: In the autumn of 1969, we decided to try a new approach to the design of a virtual machine operating system. Until that time, most installations using Virtual Machine Monitors merely ran operating systems that already existed for “stand-alone” use. Few, if any, installations had attempted to design and create an operating system that took advantage of its running environment. The Virtual Machine Monitor we were using was a highly modified version of CP-67 which was designed to operate on an IBM S/360 Model 67. Our design motivation centered on the reduction of CP-67 overhead by reducing the amount of virtual memory required to support the operating system. A secondary design goal was to produce a “production oriented” system. The resulting operating system should be able to be “tailored” to a particular user's requirements.The design of the New System (NS), as it came to be called, revolved around the fact that it not only knew it was executing within a virtual machine, but took advantage of it. Special communication links were designed and installed allowing NS to more directly control its paging and I/O profile.

Abstract: This note summarizes a paper entitled “Virtual Machine Techniques for Improving System Reliability” which will be presented April 30, 1973 at the IEEE Symposium on Computer Software Reliability in New York, New York. The full paper will appear in the Proceedings of the Symposium.

Abstract: This paper describes the Segment Based File Support System (SBFSS) which was designed and implemented by Robert g. Munck and the author, both of Brown University. SBFSS is an extension to IBM's CP-67/CMS virtual machine operating system for the IBM 360/67 computer. Its primary purpose is to allow CP to allocate more efficiently its direct access device (DASD) resources among a large number of users. Other advantages include improved response time, greater flexibility in sharing processors and data bases, and simple billing and back-up procedures.

Abstract: Sharing of procedure code among user-programs is a controversial concept in computer systems operating in a virtual machine and a time-sharing environment. In some systems the sharing can be effected at a segment level while in others it is effected at a page level. A model for sharing of pages in a CP-67/360 environment is developed and the results of experiments are presented.

Abstract: A brief study of IBM OS/VS1 (Operating System/Virtual Storage 1) will reveal a system providing many faceted growth capabilities at all levels of user-system interaction. Additional meaningful function is provided on a stabilized base to assure this growth capability. It can be further seen that installation growth is achieved through new application work and not by a continual rework of existing programs. To assure the users ability to move to new work almost immediately, OS/VS1 is built on an IBM OS/MFT (Operating System/Multiprogramming with a Fixed Number of Tasks) base. Compatibility is defined to extend to most object programs, source programs, data and libraries from OS/MFT to OS/VS1, thus assuring a normal movement of existing programs to the virtual environment. Figure 1 graphically represents the areas of change between MFT and VS1.

Abstract: The present state of the LSI technology enables the integration of sophisticated functions, such as control functions. However, these functions are still simple. A present micro-computer set offers a low parallelism and a low flexibility in interruption handling. Thus, the typical application of micro-computer sets is the development of inexpensive satellite processors. Two techniques become available: -the dynamic microprogramming, - the multiplication of control organs. The efficient use of the dynamic microprogramming supposes the concept of the “host machine” which can emulate a number of virtual machines (cf B1700). The multiplication of control organs actually needs asynchronous communication procedure and requires specific microprocessors. This paper investigate such a machine. The computer is a collection of specific microprocessors. The communications are handled by an auto-regulating principle. A paged working storage and a communication mechanism are cyclicly shared between the microprocessors. The communication mechanism allows the garbage collecting and the flag locking of the common pages.

Abstract: A striking phenomenon in the current state of the art in computer technology is the rapidly growing power of mini-computers. One reason for this power is the ability of small computer systems to adapt to specific uses, making them an attractive and economical alternative to large- or medium-scale general purpose systems for many applications. The provision of micro-programming on many of these systems has much to do with this adaptability, since it permits the efficient design and implementation of a virtual machine suited to the needs of the particular application or intended use of the system. In this way the bare hardware can be molded to support the necessary (and often sophisticated) data and control structures desired.

Abstract: This paper describes a high level general purpose language which evolved from another high level systems programming language. As well, the compiler, pseudocode, and virtual machine are discussed in some detail. The new language is a powerful PL/1 dialect, as is its parent language, XPL 1. PL/EXUS (Programming Language/Extended XPL Users' Superset), was created to satisfy a particular set of needs. A highly machine independent, mobile, compact, and powerful programming system was needed for implementation of programs to manipulate medical record data on modestly configured minicomputers. The primary extensions to XPL were semantic and dictated the structure of a host virtual machine. Because of the number of different data types and implicit mixed mode conversion rules, the virtual machine has a tagged data architecture. This results in a small instruction set of under 64 operators and thus enables powerful, implicit, run time instruction interpretation. The PL/EXUS virtual machine has a basic eight bit word size. Its virtual memory capabilities require only a fraction of the program and data to be in real memory at a time. The ability to specify storage space for most data types results in parsimonious space allocation in spite of the presence of tag words (one eight-bit byte per identifier or constant). Some instructions were specifically created to allow the compiler to “peep-hole” (i.e., locally) optimize generated pseudocode programs. The compiler itself is written in XPL, which permits self-compilation and makes possible its execution on the virtual machine or a simulated (interpretive) version of it.

Abstract: : The ARPA network consists of a Network Control Program (NCP) which handles Host to Host communications, a LOGGER/SERVER for providing access to a CP virtual machine from the network, and a user subroutine package for communicating with other Hosts on the network form a logged on CP virtual machine operating in the CMS environment. The NCP and the LOGGER each run in separate virtual machines; the NCP handling the I/O operations with the IMP and the LOGGER handling pseudo I/O operations with CP through a software supported virtual terminal device. CMS virtual machines communicate with the NCP virtual machine through a special virtual machine to virtual machine communications facility. The report describes the routines which make up the NCP and the LOGGER.

Abstract: : he most important new result of the thesis is the model of a process running on a virtual computer system (VCS) and the derivation of design principles from that model. The approach adopted is to consider the introduction of VCS's into the rich, complex architectures likely to be found in 4th generation systems. The model allows us to understand different properties of virtual machines and to interpret a number of proposed implementations of VCS's in terms of the model. Furthermore, the model leads naturally to an implementation of virtual machines, the Hardware Virtualizer (HV) which provides an efficient and simplified mechanism for virtual machines. A number of detailed examples illustrate how the Hardware Vitualizer might operate in an actual 4th generation system.