Abstract: Until recently, the x86 architecture has not permitted classical trap-and-emulate virtualization. Virtual Machine Monitors for x86, such as VMware ® Workstation and Virtual PC, have instead used binary translation of the guest kernel code. However, both Intel and AMD have now introduced architectural extensions to support classical virtualization.We compare an existing software VMM with a new VMM designed for the emerging hardware support. Surprisingly, the hardware VMM often suffers lower performance than the pure software VMM. To determine why, we study architecture-level events such as page table updates, context switches and I/O, and find their costs vastly different among native, software VMM and hardware VMM execution.We find that the hardware support fails to provide an unambiguous performance advantage for two primary reasons: first, it offers no support for MMU virtualization; second, it fails to co-exist with existing software techniques for MMU virtualization. We look ahead to emerging techniques for addressing this MMU virtualization problem in the context of hardware-assisted virtualization.

Abstract: We present the design and implementation of a system that enables trusted computing for an unlimited number of virtual machines on a single hardware platform. To this end, we virtualized the Trusted Platform Module (TPM). As a result, the TPM's secure storage and cryptographic functions are available to operating systems and applications running in virtual machines. Our new facility supports higher-level services for establishing trust in virtualized environments, for example remote attestation of software integrity. We implemented the full TPM specification in software and added functions to create and destroy virtual TPM instances. We integrated our software TPM into a hypervisor environment to make TPM functions available to virtual machines. Our virtual TPM supports suspend and resume operations, as well as migration of a virtual TPM instance with its respective virtual machine across platforms. We present four designs for certificate chains to link the virtual TPM to a hardware TPM, with security vs. efficiency trade-offs based on threat models. Finally, we demonstrate a working system by layering an existing integrity measurement application on top of our virtual TPM facility.

Abstract: Improvements to a system for enhancing the quality of group interaction, group activities, and group environments over computer networks. New features include the capacity for participants to form subgroups within a larger group, as well as to move about a virtual environment, interacting with other participants they come across in the environment as desired. Unique methods for creating and distributing structured group programs for use on the system, for playing computerized board games or card games on the system, and for building virtual social environments using the system are also disclosed. The system creates improved virtual environments for high-tech business meetings, on-line classrooms, conferences, group counseling sessions, internet trade shows, and private meeting places where family and friends can spend quality time together.

Abstract: Intel ® Virtualization Technology Δ for Directed I/O (VT-d) is the next important step toward comprehensive hardware support for the virtualization of Intel ® platforms. VT-d extends Intel's Virtualization Technology (VT) roadmap from existing support for IA-32 (VT-x) (1) and Itanium ® processor (VT-i) (2) virtualization to include new support for I/O-device virtualization. This paper surveys a variety of established and emerging techniques for I/O virtualization and outlines their associated problems and challenges. We then detail the architecture of VT-d and describe how it enables the industry to meet the future challenges of I/O virtualization.

Abstract: A method for providing access to a computing environment includes the step of receiving a request from a client system for an enumeration of available computing environments. Collected data regarding available computing environments are accessed. Accessed data are transmitted to a client system, the accessed data indicating to the client system each computing environment available to a user of the client system. A request is received from the client system to access one of the computing environments. A connection is established between the client system and a virtual machine hosting the requested computing environment via a terminal services session, the virtual machine executed by a hypervisor executing in the terminal services session provided by an operating system executing on one of a plurality of execution machines.

Abstract: A system analyzes content accessed at a network site to determine whether it is malicious. The system employs a tool able to identify spyware that is piggy-backed on executable files (such as software downloads) and is able to detect “drive-by download” attacks that install software on the victim's computer when a page is rendered by a browser program. The tool uses a virtual machine (VM) to sandbox and analyze potentially malicious content. By installing and running executable files within a clean VM environment, commercial anti-spyware tools can be employed to determine whether a specific executable contains piggy-backed spyware. By visiting a Web page with an unmodified browser inside a clean VM environment, predefined “triggers,” such as the installation of a new library, or the creation of a new process, can be used to determine whether the page mounts a drive-by download attack.

Abstract: As businesses have grown, so has the need to deploy I/T applications rapidly to support the expanding business processes. Often, this growth was achieved in an unplanned way: each time a new application was needed a new server along with the application software was deployed and new storage elements were purchased. In many cases this has led to what is often referred to as "server sprawl", resulting in low server utilization and high system management costs. An architectural approach that is becoming increasingly popular to address this problem is known as server virtualization. In this paper we introduce the concept of server consolidation using virtualization and point out associated issues that arise in the area of application performance. We show how some of these problems can be solved by monitoring key performance metrics and using the data to trigger migration of Virtual Machines within physical servers. The algorithms we present attempt to minimize the cost of migration and maintain acceptable application performance levels.

Abstract: A system has plural physical machines that contain virtual machines. A load balancer receives a request from a client. In response to the request, it is determined whether at least one additional virtual machine should be started up. In response to determining that at least one additional virtual machine should be started up, the load balancer sends at least one command to start up the at least one additional virtual machine in at least one of the physical machines.

Abstract: Virtualizing the physical resources of a computing system to improve sharing and utilization has been done for decades. Virtualization had once been confined to specialized server and mainframe systems, but improvements in the performance of platforms based on Intel technology now allow those platforms to efficiently support virtualization. However, the IA-32 and Itanium processor architectures pose a number of significant challenges to virtualization. The first generation of Intel Virtualization Technology (VT) for IA-32 and Itanium processors provides hardware support that simplifies processor virtualization, enabling reductions in virtual machine monitor (VMM) software size and complexity. Resulting VMMs can support a wider range of legacy and future operating systems (OSs) on the same physical platform while maintaining high performance. In this paper, we provide details of the virtualization challenges posed by IA-32 and Itanium processors; present an overview and furnish details of VT-x (Intel Virtualization Technology for the IA-32 architecture) and VT-i (Intel Virtualization Technology for the Itanium architecture); show how VT-x and VT-i address virtualization challenges; and finally provide examples of usage of the VT-x and VT-i architecture.

Abstract: A method for providing access to a computing environment includes the step of receiving, by a broker machine, a request from a client machine for access to a computing environment, the request including an identification of a user of the client machine. One of a plurality of virtual machines is identified, the identified virtual machine providing the requested computing environment. One of a plurality of execution machines is identified, the identified execution machine executing a hypervisor providing access to hardware resources required by the identified virtual machine. A connection is established between the client machine and the identified virtual machine.

Abstract: Currently, I/O device virtualization models in virtual machine (VM) environments require involvement of a virtual machine monitor (VMM) and/or a privileged VM for each I/O operation, which may turn out to be a performance bottleneck for systems with high I/O demands, especially those equipped with modern high speed interconnects such as InfiniBand. In this paper, we propose a new device virtualization model called VMM-bypass I/O, which extends the idea of OS-bypass originated from user-level communication. Essentially, VMM-bypass allows time-critical I/O operations to be carried out directly in guest VMs without involvement of the VMM and/or a privileged VM. By exploiting the intelligence found in modern high speed network interfaces, VMM-bypass can significantly improve I/O and communication performance for VMs without sacrificing safety or isolation. To demonstrate the idea of VMM-bypass, we have developed a prototype called Xen-IB, which offers InfiniBand virtualization support in the Xen 3.0 VM environment. Xen-IB runs with current InfiniBand hardware and does not require modifications to existing user-level applications or kernel-level drivers that use InfiniBand. Our performance measurements show that Xen-IB is able to achieve nearly the same raw performance as the original InfiniBand driver running in a non-virtualized environment.

Abstract: A computer includes a virtual machine controlled by a hypervisor. The virtual machine runs a virtualized operating system with running processes. A security initialization module sets the state in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a process making a system call in the virtualized operating system. Responsive to execution being passed from the virtual machine to the hypervisor, a security module analyzes the process making the system call to determine whether it poses a security threat. If a security threat is found, the security module takes remedial action to address the threat.

Abstract: From experience with wireless sensor networks it has become apparent that dynamic reprogramming of the sensor nodes is a useful feature. The resource constraints in terms of energy, memory, and processing power make sensor network reprogramming a challenging task. Many different mechanisms for reprogramming sensor nodes have been developed ranging from full image replacement to virtual machines.We have implemented an in-situ run-time dynamic linker and loader that use the standard ELF object file format. We show that run-time dynamic linking is an effective method for reprogramming even resource constrained wireless sensor nodes. To evaluate our dynamic linking mechanism we have implemented an application-specific virtual machine and a Java virtual machine and compare the energy cost of the different linking and execution models. We measure the energy consumption and execution time overhead on real hardware to quantify the energy costs for dynamic linkin.Our results suggest that while in general the overhead of a virtual machine is high, a combination of native code and virtual machine code provide good energy efficiency. Dynamic run-time linking can be used to update the native code, even in heterogeneous networks.

Abstract: Honey pots are used to attract computer attacks to a virtual operating system that is a virtual instantiation of a typical deployed operational system. Honey nets are a collection of these virtual systems assembled to create a virtual network. The subject system uses a forward deployed honey net combined with a parallel monitoring system collecting data into and from the honey net, leveraging the controlled environment to identify malicious behavior and new attacks. This honey net/monitoring pair is placed ahead of the real deployed operational network and the data it uncovers is used to reconfigure network protective devices in real time to prevent zero-day based attacks from entering the real network. The forward network protection system analyzes the data gathered by the honey pots and generates signatures and new rules for protection that are coupled to both advanced perimeter network security devices and to the real network itself so that these devices can be reconfigured with threat data and new rules to prevent infected packets from entering the real network and from propagating to other machines. Note the subject system applies to both zero-day exploit-based worms and also manual attacks conducted by an individual who is leveraging novel attack methods.

Abstract: The Squawk virtual machine is a small Java™ virtual machine (VM) written mostly in Java that runs without an operating system on a wireless sensor platform. Squawk translates standard class file into an internal pre-linked, position independent format that is compact and allows for efficient execution of bytecodes that have been placed into a read-only memory. In addition, Squawk implements an application isolation mechanism whereby applications are represented as object and are therefore treated as first class objects (i.e., they can be reified). Application isolation also enables Squawk to run multiple applications at once with all immutable state being shared between the applications. Mutable state is not shared. The combination of these features reduce the memory footprint of the VM, making it ideal for deployment on small devices.Squawk provides a wireless API that allows developers to write applications for wireless sensor networks (WSNs), this API is an extension of the generic connection framework (GCF). Authentication of deployed files on the wireless device and migration of applications between devices is also performed by the VM.This paper describes the design and implementation of the Squawk VM as applied to the Sun™ Small Programmable Object Technology (SPOT) wireless device; a device developed at Sun Microsystems Laboratories for experimentation with wireless sensor and actuator applications.

Abstract: Numerous previous studies have suggested that distances appear to be compressed in immersive virtual environments presented via head mounted display systems, relative to in the real world. However, the principal factors that are responsible for this phenomenon have remained largely unidentified. In this paper we shed some new light on this intriguing problem by reporting the results of two recent experiments in which we assess egocentric distance perception in a high fidelity, low latency, immersive virtual environment that represents an exact virtual replica of the participant’s concurrently occupied real environment. Under these novel conditions, we make the startling discovery that distance perception appears not to be significantly compressed in the immersive virtual environment, relative to in the real world.

Abstract: A method for making a hypermedium page interactive, the hypermedium page displayed by a network browser, includes the step of selecting a hyperlink on the hypermedium page displayed on a client machine, the hyperlink identifying a desired computing resource. A hyperlink configuration file is retrieved, the hyperlink configuration file corresponding to the hyperlink and identifying a server machine. A client agent is started on the client machine. The client agent creates, via a terminal services session, a communication link to a virtual machine executing on the server identified by the hyperlink configuration file, the virtual machine executed by a hypervisor executing in the terminal services session provided by an operating system executing on the server. The client agent receives data from the virtual machine and displays, on the client machine, the received data without intervention by the network browser.

Abstract: A method for providing access to a computing environment includes the step of receiving, by a broker machine, a request from a client machine for access to a computing environment, the request including an identification of a user of the client machine. One of a plurality of virtual machines is identified by a session management component, the identified virtual machine providing the requested computing environment. One of a plurality of execution machines is identified, the identified execution machine providing a terminal services session in which a hypervisor executes to provide access to hardware resources required by the identified virtual machine. The hypervisor launches the identified virtual machine. A connection is established between the client machine and the identified virtual machine, via the terminal services session.

Abstract: A method and system for backing up and restoring data of virtual machines. A virtual machine may be discovered through a directory service or via an agent that is installed on the virtual machine's host operating system. If the agent is installed on the virtual machine, the agent monitors changes to protected virtual machine volumes. If the agent is installed on the host, the agent monitors changes to the protected volumes, which may contain one or more virtual servers on the host. Periodically, these changes from the host or the virtual server are sent to a data protection server. The data protection server updates its replicas of protected volumes with the sent changes. Versions of files on a data protection server corresponding to a volume of a virtual server may be restored to the virtual machine, to another machine, or may be viewed from the data protection server.

Abstract: The PyPy project seeks to prove both on a research and a practical level the feasibility of constructing a virtual machine (VM) for a dynamic language in a dynamic language - in this case, Python. The aim is to translate (i.e. compile) the VM to arbitrary target environments, ranging in level from C/Posix to Smalltalk/Squeak via Java and CLI/.NET, while still being of reasonable efficiency within these environments.A key tool to achieve this goal is the systematic reuse of the Python language as a system programming language at various levels of our architecture and translation process. For each level, we design a corresponding type system and apply a generic type inference engine - for example, the garbage collector is written in a style that manipulates simulated pointer and address objects, and when translated to C these operations become C-level pointer and address instructions.

Abstract: A shared distributed infrastructure is formed by federating computation resources from multiple domains. Such shared infrastructures are increasing in popularity and are providing massive amounts of aggregated computation resources to large numbers of users. Meanwhile, virtualization technologies, at machine and network levels, are maturing and enabling mutually isolated virtual computation environments for executing arbitrary parallel/distributed applications on top of such a shared physical infrastructure. In this paper; we go one step further by supporting autonomic adaptation of virtual computation environments as active, integrated entities. More specifically, driven by both dynamic availability of infrastructure resources and dynamic application resource demand, a virtual computation environment is able to automatically relocate itself across the infrastructure and scale its share of infrastructural resources. Such autonomic adaptation is transparent to both users of virtual environments and administrators of infrastructures, maintaining the look and feel of a stable, dedicated environment for the user As our proof-of-concept, we present the design, implementation and evaluation of a system called VIOLIN, which is composed of a virtual network of virtual machines capable of live migration across a multi-domain physical infrastructure.

Abstract: Virtualization technology offers powerful resource management mechanisms, including performance-isolating resource schedulers, live migration, and suspend/resume. But how should networked virtual computing systems use these mechanisms? A grand challenge is to devise practical policies to drive these mechanisms in a self-managing or .autonomic . system, without relying on human operators. This paper explores architectural and algorithmic issues for resource management policy and orchestration in Shirako, a system for on-demand leasing of shared networked resources in federated clusters. Shirako enables a flexible factoring of resource management functions across the participants in a federated system, to accommodate a range of models of distributed virtual computing. We present extensions to Shirako to provision fine-grained virtual machine .slivers. and drive virtual machine migration. We illustrate the interactions of provisioning and placement/migration policies, and their impact.

Abstract: This paper presents a shared-control interaction paradigm for haptic interface systems, with experimental data from two user studies. Shared control, evolved from its initial telerobotics applications, is adapted as a form of haptic assistance in that the haptic device contributes to execution of a dynamic manual target-hitting task via force commands from an automatic controller. Compared to haptic virtual environments, which merely display the physics of the virtual system, or to passive methods of haptic assistance for performance enhancement based on virtual fixtures, the shared-control approach offers a method for actively demonstrating desired motions during virtual environment interactions. The paper presents a thorough review of the literature related to haptic assistance. In addition, two experiments were conducted to independently verify the efficacy of the shared-control approach for performance enhancement and improved training effectiveness of the task. In the first experiment, shared control is found to be as effective as virtual fixtures for performance enhancement, with both methods resulting in significantly better performance in terms of time between target hits for the manual target-hitting task than sessions where subjects feel only the forces arising from the mass-spring-damper system dynamics. Since shared control is more general than virtual fixtures, this approach may be extremely beneficial for performance enhancement in virtual environments. In terms of training enhancement, shared control and virtual fixtures were no better than practice in an unassisted mode. For manual control tasks, such as the one described in this paper, shared control is beneficial for performance enhancement, but may not be viable for enhancing training effectiveness.

Abstract: A system and method for assigning virtual machines to network interfaces. A first virtual machine is assigned to a network interface according to a first rule and a second virtual machine is assigned to a network interface according to a second rule. The assignment rules are dependent on network conditions as determined through at least one of the network interfaces. The first rule and the second rule may specify assignments differently, such that the same network conditions may result in different assignments for the first and second virtual machines.

Abstract: The embodiments contemplate a system and method for a provisioning, retirement and configuration of virtual machines. A predefined policy may include a desired target state of the virtual machines, as well as an action to initiate in order to reach the desired state. The action may be initiated if the state varies from the desired level by a predetermined amount or percentage over a predetermined period of time. Data from the virtual machines is analyzed to determine if the desired state of the virtual machines is satisfied. The analysis may be continuous or periodic. If it is determined that the desired state is not satisfied, then predefined actions are performed until the desired state is attained. The predefined actions may be the removal or addition of one or more virtual machines or other actions necessary to reach the desired state.

Abstract: Virtualization is increasingly being used to address server management and administration issues like flexible resource allocation, service isolation and workload migration. In a virtualized environment, the virtual machine monitor (VMM) is the primary resource manager and is an attractive target for implementing system features like scheduling, caching, and monitoring. However, the lackof runtime information within the VMM about guest operating systems, sometimes called the semantic gap, is a significant obstacle to efficiently implementing some kinds of services.In this paper we explore techniques that can be used by a VMM to passively infer useful information about a guest operating system's unified buffer cache and virtual memory system. We have created a prototype implementation of these techniques inside the Xen VMM called Geiger and show that it can accurately infer when pages are inserted into and evicted from a system's buffer cache. We explore several nuances involved in passively implementing eviction detection that have not previously been addressed, such as the importance of tracking disk block liveness, the effect of file system journaling, and the importance of accounting for the unified caches found in modern operating systems.Using case studies we show that the information provided by Geiger enables a VMM to implement useful VMM-level services. We implement a novel working set size estimator which allows the VMM to make more informed memory allocation decisions. We also show that a VMM can be used to drastically improve the hit rate in remote storage caches by using eviction-based cache placement without modifying the application or operating system storage interface. Both case studies hint at a future where inference techniques enable a broad new class of VMM-level functionality.

Abstract: An administrative authority for virtual machines can send one or more delegated policy settings to a virtual machine manager. The virtual machine manager can in turn send management instructions that include the one or more policy settings to one or more virtual machine hosts. As such, a user's request for a virtual machine at a virtual machine host can be granted or denied based on the delegated policy settings. The policy settings can be updated periodically, and can include additional information about starting, stopping, expiring, saving, or even deleting virtual machines by particular users, as well as users accessing from particular locations. In addition, an agent operating at the virtual machine host can monitor and report virtual machine activity, to ensure unauthorized virtual machines are quickly stopped and reviewed until authorized.

Abstract: Described are a network and method for performing live migration of a virtual machine (VM) executing at a source site to at least one destination site over an optical network. An application program executes on the VM on behalf of a client system. In the event of a VM migration, a virtual machine turntable control agent coordinates the resource allocation with the VM data transfer. One or more lightpaths are dynamically and securely established through the optical network between the source site and the destination site(s). The VM migration from the source site to multiple destination sites occurs simultaneously, while the application program executes on the VM. After the VM migration, the application resumes at the destination site(s).

Abstract: In this paper we present the design and performance evaluation of a network emulation cluster built with commodity PCs and network switches. Each emulated node runs inside its own virtual machine and is complete with a kernel and device drivers and the virtual machine monitor ensures isolation between the emulated nodes, fair access to the resources of the underlying physical node, and high performance. The load of traffic conditioning (emulating packet delays, losses and other characteristics of widearea network links) is shared between all physical nodes by conditioning only the traffic originated by the emulated nodes they host. The above organization results in an emulation testbed that is low cost and scalable while providing strict resource isolation between emulated nodes and high emulation fidelity by allowing the emulation of kernels and other system level software. In this paper we present the main considerations behind the design of our testbed and through detailed performance evaluation we demonstrate that our approach can result in a scalable emulation system with high performance.