Can anybody point me to a completely barebones (cpu + memory only, no BIOS) VM implementation? IE, you give it an arbitrary binary and a load address, and it sets up a memory environment and the reset vector appropriately, and traps out to the host program at any privileged instruction (int/in/out/lmsw/etc) or unmapped memory access? I’d really like to use something like this as a basis for some experiments in secure code generation.
Valgrind re-writes binaries (like ZeroVM / NaCL) rather than virtualising the machine, AFAIK. It could definitely be achieved by cutting a lot out of Qemu’s hypervisor code or Xen, but learning those codebases would take significantly more time than starting from zero and building what I’m after using intel’s refs, which I’m trying to skip :)
To better elaborate what I’m after - Rather than a useful vm with a bunch of (virtual) ISA controller chips listening to various ports, and emulating devices, I’m looking for the very beginning of one. Malloc a couple of MB of ram, put the binary at 0, and start a virtualised CPU with a “jmp 0:0” and wait for a HLT. Any priveleged instruction would trap out to said minimal VM and log and/or return a bogus value, or kill the vm.
Qemu’s CPU emulation would do something similar, although by default it passes syscalls through to the host OS. It doesn’t emulate a full system, and it can be used outside of the qemu system emulator to run user-space code on different architectures.
Can anybody point me to a completely barebones (cpu + memory only, no BIOS) VM implementation? IE, you give it an arbitrary binary and a load address, and it sets up a memory environment and the reset vector appropriately, and traps out to the host program at any privileged instruction (int/in/out/lmsw/etc) or unmapped memory access? I’d really like to use something like this as a basis for some experiments in secure code generation.
I’m not sure exactly what you are looking for, but it’s worth checking out Valgrind and Qemu.
Valgrind re-writes binaries (like ZeroVM / NaCL) rather than virtualising the machine, AFAIK. It could definitely be achieved by cutting a lot out of Qemu’s hypervisor code or Xen, but learning those codebases would take significantly more time than starting from zero and building what I’m after using intel’s refs, which I’m trying to skip :)
To better elaborate what I’m after - Rather than a useful vm with a bunch of (virtual) ISA controller chips listening to various ports, and emulating devices, I’m looking for the very beginning of one. Malloc a couple of MB of ram, put the binary at 0, and start a virtualised CPU with a “jmp 0:0” and wait for a HLT. Any priveleged instruction would trap out to said minimal VM and log and/or return a bogus value, or kill the vm.
The Quake VM did something like this. You can find some info at http://fabiensanglard.net/quake3/qvm.php and http://www.suse.de/~lnussel/talks/fosdem_talk_2013_q3.pdf .
Qemu’s CPU emulation would do something similar, although by default it passes syscalls through to the host OS. It doesn’t emulate a full system, and it can be used outside of the qemu system emulator to run user-space code on different architectures.