This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

1. Memories of a VM Funk
Mihai Donțu, Engineering Manager, Bitdefender

2. Outline
• 4.12 statistics
• VMI on AMD
• The 'Windows 10 RS4' event
• The A/D bits conundrum
• #VE / VMFUNC statistics with Citrix Hypervisor 8.0
• Intel Sub-Page Permission (SPP)

3. 4.12 Statistics
• Xen releases since 2017's summit: 4.9, 4.10, 4.11, 4.12
• 68 patches, 45 in 4.12 alone
• 5 developers: Adrian Pop, Alexandru Isăilă, Petre Pîrcălabu,
Răzvan Cojocaru, Vlad Ioan Topan

4. VMI on AMD
• Basic vm_event support done
• All PT-walks trigger a write NPT #PF
• No Intel MTF-like support
• Realtime-VMI is essentialy a "no-go"

5. The 'Windows 10 RS4' event
• Huge slowdown due to frequent PT modifications
• Worked-around with a tiny in-guest filter (injected)
• Proper solution: #VE agent
• 64bit only

6. The A/D bits conundrum
• We need to emulate A/D bit updates
• There are three methods:
• Optimistic (PTE-level):
• If accessed is unset, set it
• If accessed is set, set dirty if PTE is writable
• Using the emulator: perform a full guest PT walk and update A/D according
to the current instruction
• Single-step via MTF

7. • #VE / VMFUNC statistics with Citrix Hypervisor 8.0
Firefox Chrome
Opening multiple pages in multiple tabs (Y: seconds)

8. • Intel Sub-Page Permission (SPP)
• Controlled by VMCS and EPTE[61]
• Write protection only
• Sub-page size: 128 bytes
• Protect OS structures smaller than 4K
• Mostly read-only but live in pages written often
• Typical candidates (Windows): driver objects, IDT, HAL dispatch
table

9. Q & A

10. Thank you!