"What, How, and Why" on Interrupt Window (or NMI Window) Exiting in Virtualization Technology

More recently, one of my colleagues asked me why there is a feature called "Interrupt Window exiting" in virtualization technology, and how it can be used by VMM? This blog is going to briefly describe its "what, how and why" .

Monitor Trap Flag (MTF) Usage in EPT-based Guest Physical Memory Monitoring

Monitor Trap Flag (MTF) is a flag specifically designed for single-stepping in x86/Intel hardware virtualization VT-x technology. When MTF is set, the guest will trigger a VM Exit after executing each instruction (need to consider NMI or other interrupt delivery boundary). This paper presents an idea to use MTF for memory write allowing when monitoring modification to guest virtual-to-physical mapping (page table entries) tables. 

BitVisor - A Thin Hypervisor Built for Enforcing I/O Device Security - Storage (USB/DISK) Encryption or File Access Monitoring

This post is wrote to share an idea of the paper (BitVisor: A Thin Hypervisor for Enforcing I/O Device Security) that I read recently. It innovates a hypervisor-based solution for enforcing storage/disk encryption of ATA devices.

Why smaller code size with XEN on ARM?

This white paper (Xen ARM with Virtualization Extensions whitepaper) indicates that "Xen on ARM is 1/6 of the code size of x86_64 Xen, while still providing a similar level of features". what does this mean? Does this mean that Xen/ARM is better than Xen/x86? We cannot simply just make this conclusion, but anyway smaller code size means smaller TCB, which can reduce security risks (e.g. security vulnerabilities). 

Monitor/Trap Software Interrupt INT 80h (System Call) with x86/Intel Virtualization Technology

In an unix-like system, before syscall/sysret and/or sysenter/sysexit instructions were introduced by x86/Intel processors, software interrupt "INT 80h" was used as system call interface. Unlike my previous post, this one is going to talk about how to monitor this old type system call.