The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.
Stackdb — a VMI-enabled debugging library for multi-level systems
Virtual machine introspection (VMI) allows users to debug software that executes within a virtual machine. To support rich, whole-system analyses, a VMI tool must inspect and control systems at multiple levels of the software stack. Traditional debuggers enable inspection and control, but they limit users to treating a whole system as just one kind of target: e.g., just a kernel, or just a process, but not both.
We created Stackdb, a debugging library with VMI support that allows one to monitor and control a whole system through multiple, coordinated targets. A target corresponds to a particular level of the system's software stack; multiple targets allow a user to observe a VM guest at several levels of abstraction simultaneously.
For example, with Stackdb, one can observe a PHP script running in a Linux process in a Xen VM via three coordinated targets at the language, process, and kernel levels. Within Stackdb, higher-level targets are components that utilize lower-level targets; a key contribution of Stackdb is its API that supports multi-level and flexible “stacks” of targets.
Weir — a streaming language for systems analysis
For modern software systems, performance analysis can be a challenging task. The software stack can be a complex, multi-layer, multi-component, concurrent, and parallel environment with multiple contexts of execution and multiple sources of performance data. Although much performance data is available, because modern systems incorporate many mature data-collection mechanisms, analysis algorithms suffer from the lack of a unifying programming environment for processing the collected performance data, potentially from multiple sources, in a convenient and script-like manner.
Weir is based on the insight that performance-analysis algorithms can be naturally expressed as stream-processing pipelines. In Weir, an analysis algorithm is implemented as a graph composed of stages, where each stage operates on a stream of events that represent collected performance measurements. Weir is an imperative streaming language with a syntax designed for the convenient construction of stream pipelines that utilize composable and reusable analysis stages. To demonstrate practical application, this paper presents the authors' experience in using Weir to analyze performance in systems based on the Xen virtualization platform.
XenTT — a “time-traveling” hypervisor
Replay infrastructure: XenTT replay infrastructure, consists of four main logging components, and a high-bandwidth communication channel across them
Event interposition: The event interposition layer implements logging and replay of the low-level virtual machine interface exported by the Xen hypervisor. We design interposition primitives with a goal to introduce a minimal overhead on the critical execution path of the system.
A lightweight logging operation requires to read the hardware state of the system and put a logging record in a lock-free, shared-memory buffer for asynchronous processing by the user-level logging daemon.
Logging and replay daemons: User-level logging and replay daemons process the log of recorded events committing it to a stable storage.
Device daemon: To log and replay communication of virtual devices we rely on the fact that all Xen devices use a uniform shared memory interface for connecting guest and host device drivers. The device daemon implements a general abstraction for interposing on communication of the shared memory producer-consumer buffers.
Replay coordination: Finally, replay coordination mechanisms ensure controlled execution of the guest system between a pair of nondeterministic events. These mechanisms include branch counting logic, single-step execution, replay of synchronous and asynchronous events, and CPU branch tracing.