Is anyone here familiar enough with Docker to explain the differences and overlaps between it and ZeroVM? They looked an awful lot like the same thing to me, but I see that some folks are talking about running ZeroVM on Docker… Just wondering why you might do that, or choose one or the other.
ZeroVM is a sandboxed runtime. It doesn’t provide an OS-level abstraction, but an API-level abstraction. It basically runs a single process, recompiled for ZeroVM, in isolation, and the process has a well defined (POSIX in this case) interface to the outside world. It’s an execution environment, similar to the JVM, but with a focus on sandboxing and an API and instruction set that is backwards compatible with existing systems.
Docker is a light-weight sandbox for entire systems. It allows you to run a number of processes in a virtual jail, sharing the same filesystem and restricted in its interaction with the outside world by configuration files and operating system sandboxing.
Awesome, very well explained! Thanks.
Can anybody point me to a completely barebones (cpu + memory only, no BIOS) VM implementation? IE, you give it an arbitrary binary and a load address, and it sets up a memory environment and the reset vector appropriately, and traps out to the host program at any privileged instruction (int/in/out/lmsw/etc) or unmapped memory access? I’d really like to use something like this as a basis for some experiments in secure code generation.
I’m not sure exactly what you are looking for, but it’s worth checking out Valgrind and Qemu.
Valgrind re-writes binaries (like ZeroVM / NaCL) rather than virtualising the machine, AFAIK. It could definitely be achieved by cutting a lot out of Qemu’s hypervisor code or Xen, but learning those codebases would take significantly more time than starting from zero and building what I’m after using intel’s refs, which I’m trying to skip :)
To better elaborate what I’m after - Rather than a useful vm with a bunch of (virtual) ISA controller chips listening to various ports, and emulating devices, I’m looking for the very beginning of one. Malloc a couple of MB of ram, put the binary at 0, and start a virtualised CPU with a “jmp 0:0” and wait for a HLT. Any priveleged instruction would trap out to said minimal VM and log and/or return a bogus value, or kill the vm.
The Quake VM did something like this. You can find some info at http://fabiensanglard.net/quake3/qvm.php and http://www.suse.de/~lnussel/talks/fosdem_talk_2013_q3.pdf .
Qemu’s CPU emulation would do something similar, although by default it passes syscalls through to the host OS. It doesn’t emulate a full system, and it can be used outside of the qemu system emulator to run user-space code on different architectures.
Seriously? Google-related projects really suck at naming things. But it wouldn’t be the first case where they picked a name which was already used in pretty much the same area.