All,
I had some great success integrating both the scan-before-execute (prescan)
code, and the split I&D TLB technique code into plex86. A quick
brief, for newcomers:
The scan-before-execute technique allows us to continuously
decode new code before it is executed, so we can always maintain
control of the execution path. Of course, we cache results as we go,
so we don't have to decode previous code.
The split I&D technique takes advantage of the fact that newer
processors have separate I&D TLB caches, so we can load one page mapping
(and associated permissions) into the I TLB cache for a code
page, and a different one for the D TLB cache entry. This
way we can let code run in a page that it can not access
as data. This is useful if we want to modify code as part of
our scan-before-execute technique, and not let guest code see
our changes.
Things are still rough, and I have not plugged the generated
page exceptions into the rest of the existing emulation yet.
Below are some notes showing that things are working so far.
You don't have to read the details. In short, we can now
virtualize arbitrary x86 instructions, specified by a flexible
map, and protect against guest reads/writes to virtualized
code pages.
Once this is better integrated, we should be able to enhance
plex86 for more complete virtualization quickly. I see
running real guest OSes in our near future... :^)
More soon.
-Kevin
=============================================================
- Virtualizing an arbitrary instruction.
I modified the instruction virtualization map, and marked
'NOP' for virtualization. The following code sequence:
_start:
clc
stc
nop
hlt
... caused the monitor to trap out at:
Current instruction:
000B.00100002 90 nop
- Exception generated when read & write occurs to a virtualized
code page. (I only deal with one page for now as proof of concept)
The following code simply gets the current eip, and tries
to access memory in the current page. I had to mark
'PUSH SS' and 'POP DS' as OK to run natively for this code,
as they were currently marked for virtualization.
_start:
push %ss
pop %ds
call get_eip
get_eip:
pop %eax
movl (%eax), %ebx // read from page
//movl %ebx, (%eax) // ...or write to page
hlt
Either read or write case traps out in the monitor with:
Current instruction:
000B.00100008 8B18 movl (%eax), %ebx
-or-
000B.00100008 8918 movl %ebx, (%eax)
- No exception when read/write occurs to non-virtualized pages
Just to make sure, I modified the code above to access the
next page, which has not been virtualized:
push %ss
pop %ds
call get_eip
get_eip:
pop %eax
add $4096, %eax
movl (%eax), %ebx // read from page
movl %ebx, (%eax) // write to page
hlt
It traps in the monitor faithfully at the HLT, thus the
read/writes execute fine.
Current instruction:
000B.00100011 F4 hlt
