A virtual sandbox where you can experiment with coding, hacking,
cracking, etc.
Snapshots allow reverting to earlier states!!
You can do software unit and integration testing on
other operating systems
Security and isolation (Graders run student code in
a virtual machine for example)
Good computer hygiene (keep your OS clean).
1.4 Hypervisors and Virtual
Machines
https://en.wikipedia.org/wiki/Virtual_machine
* A virtual machine (VM) is an emulation of a computer
system.
* Virtual machines are based on computer architectures and provide
functionality of a physical computer.
* Their implementations may involve specialized hardware, software, or a
combination.
* Software simulates hardware, so that an operating system can run
inside of a software environment.
https://en.wikipedia.org/wiki/Hypervisor
* A hypervisor or virtual machine monitor (VMM) is
computer software, firmware or hardware that creates and runs virtual
machines.
* A computer on which a hypervisor runs one or more virtual machines is
called a host machine.
* Each virtual machine is called a guest machine.
* The hypervisor presents the guest operating systems with a virtual
operating platform and manages the execution of the guest operating
systems.
1.4.1 Normal OS
21b-Virtualization/f1-crop.png
1.4.2 Two types of hypervisor (and
another category below)
21b-Virtualization/hyper.png
1.4.3 Type-1, native or bare-metal
hypervisors
These hypervisors run directly on the host’s hardware to control the
hardware and to manage guest operating systems.
For this reason, they are sometimes called bare metal
hypervisors.
Full virtualization almost complete simulation of the actual
hardware to allow software, which typically consists of a guest
operating system, to run unmodified.
Paravirtualization a hardware environment is not simulated
However, the guest programs are executed in their own isolated
domains, as if they are running on a separate system.
Guest programs need to be specifically modified to run in this
environment.
Restricts a running process to a subset of the file system by
mapping the processes view of root to a sub-directory of the actual root
user.
Not all processes tolerate this well, and it can require including
more directories into the jail
If a process can run as root, it is possible to break out of the
chroot jail
1.4.6.2 Container
One kernel allows the existence of multiple
isolated user-space instances.
Such instances, called containers, partitions, virtualization
engines (VEs) or jails (FreeBSD jail or chroot jail), may look like real
computers from the point of view of programs running in them.
Typical program can see all resources (connected devices, files and
folders, network shares, CPU power, quantifiable hardware capabilities)
of that computer, but programs running inside a container can only see
the container’s contents and devices assigned to the container.
Can be seen as an advanced implementation of the standard chroot
mechanism, which changes the apparent root folder for the current
running process and its children.
Kernel provides resource-management features to limit the impact of
one container’s activities on other containers.
Warning:
* Containers like docker are pretty easy to escape.
* Use them only for minor sandboxing purposes.
A compartmentalized micro-kernel OS framework
* https://genode.org/index
* https://en.wikipedia.org/wiki/Genode
1.6.3.6 CLIP os
https://clip-os.org/en/
1.6.3.7 SubGraph OS: docker
containers for isolation
* Not really a mature/stable/alive project.
* Known exploits can escape docker containers with relative ease.
1.6.3.8 Qubes OS
Bare metal hypervisor (Xen), with full VM for isolation.
* https://www.qubes-os.org/intro/
* https://www.qubes-os.org/video-tours/
Qubes OS: detailed
1.7 Security and
virtualization
Guest OS isolation, ensuring that programs
executing within a guest OS may only access and use the resources
allocated to it, and not covertly interact with programs or data, either
in other guest OS’s, or in the hypervisor.
Guest OS monitoring by the hypervisor, which has
privileged access to the programs and data in each guest OS, and must be
trusted as secure from subversion and compromised use of this
access.
Virtualized environment security, particularly image and snapshot
management, which attackers may attempt to view or modify.
A unikernel is a specialized, single address space machine image
constructed by using library operating systems.
A developer selects, from a modular stack, the minimal set of
libraries which correspond to the OS constructs required for their
application to run.
These libraries are then compiled with the application and
configuration code to build sealed, fixed-purpose images (unikernels)
which run directly on a hypervisor or hardware without an intervening OS
such as Linux or Windows.
1.9 Microkernels
https://en.wikipedia.org/wiki/Microkernel
In computer science, a microkernel (often abbreviated as μ-kernel) is
the near-minimum amount of software that can provide the mechanisms
needed to implement an operating system (OS). These mechanisms include
low-level address space management, thread management, and inter-process
communication (IPC).
If the hardware provides multiple rings or CPU modes, the microkernel
may be the only software executing at the most privileged level, which
is generally referred to as supervisor or kernel mode. Traditional
operating system functions, such as device drivers, protocol stacks and
file systems, are typically removed from the microkernel itself and are
instead run in user space.
In terms of the source code size, microkernels are often smaller than
monolithic kernels.
1.9.1 Minix
https://www.minix3.org/
https://en.wikipedia.org/wiki/Minix
The MINIX3 microkernel, for example, has approximately 12,000 lines of
code, compared to 12,000,000 for a small monolithic kernel.
1.9.2 Redox
https://www.redox-os.org
https://en.wikipedia.org/wiki/Redox_(operating_system)
Inspired by those like Minix, but written in a memory safe language,
Rust.
1.9.3 xous
Microkernel in Rust
https://betrusted.io/xous-book/ch00-00-introduction.html
https://github.com/betrusted-io/xous-core
1.9.4 rCore
Educational kernel in Rust
https://github.com/rcore-os/rCore
https://github.com/rcore-os/zCore
In computing, network virtualization or network virtualization is
the process of combining hardware and software network resources and
network functionality into a single, software-based administrative
entity, a virtual network.
Network virtualization involves platform virtualization, often
combined with resource virtualization.
Network virtualization is categorized as either external
virtualization, combining many networks or parts of networks into a
virtual unit, or internal virtualization, providing network-like
functionality to software containers on a single network server.
Note: More to come here when we get to the next
section (Networking) when you will build your own virtual network.
