Running code in the context of a VM by using KVM API from Freepascal

[z0rr0]

Hello everyone,

for those that are interesting in creating Virtual Machines by using the KVM API, I just committed a simple example at https://github.com/MatiasVara/kvmtest. This repository includes the unit "Kvm.pas" that allows a program to run a piece of assembly code, i.e., guest.s, in the context of a VM. The user program ("main.pas" in the repository) acts as a Virtual Machine Monitor(VMM) that traps VMEXIT.

Cheers,
Matias

[MarkMLl]

That looks interesting, but could you expand a bit on what the objective is and what's actually being run? Also you appear to be building for Linux and (obviously) assuming the availability of KVM, but are there any other OS etc. requirements?

MarkMLl

[z0rr0]

Hello MarkMLI,

That looks interesting, but could you expand a bit on what the objective is and what's actually being run? Also you appear to be building for Linux and (obviously) assuming the availability of KVM, but are there any other OS etc. requirements?

MarkMLl

This demo is based on the article https://lwn.net/Articles/658511/. The goal of this simple demo is to show the use of KVM to run a piece of assembly code in the context of a Virtual Machine. To do this, a user program first loads the binary and then interacts with KVM to create a VM that will execute that binary. The binary executes as a KVM guest in 64 bits but without any device. The user program acts as QEMU does, i.e., a virtual machine monitor. Some operations that the guest does are trapped by the user program that hosts it. For example, this happens when the guest tries to access to an ioport. I will add this information to the README.md to make it clear.

Matias     

[z0rr0]

Hello everyone,

I just committed a project named ToroV which is the follow-up project of the previous post. This is a PoC but the idea is to run applications as VMs without any OS or kernel intermediator. To do this, I slightly modified the RTL for Linux. The user compiles its application with this RTL. The application is launched as a VM by using a sort of trampoline named vmm, which stands for virtual machine monitor. I hosted the project at https://github.com/torokernel/torov. The HelloWorld example is simply the user application using the write() syscall to print something on the host screen. The syscall is first caught by the vmm, and then, forwarded to the host. The vmm can be configured to allow or forbid some syscalls depending on the level of security required. Feel free to try it and let me know any comments.

Cheers,   

PS: I also worked a bit on the debugging features. You can watch a video here https://youtu.be/QC8pYtMOWe4.

[MarkMLl]

Well done, that really is interesting. I'm struggling to think of an immediate use for it, but if nothing else it is a resounding rebuttal of the "you can't write system software in (any dialect of) Pascal" fallacy.

MarkMLl

[z0rr0]

Well done, that really is interesting. I'm struggling to think of an immediate use for it, but if nothing else it is a resounding rebuttal of the "you can't write system software in (any dialect of) Pascal" fallacy.

MarkMLl

Me too, It is not clear for me yet the use-case. I know that libkrun is doing similar things but the aim is not to expose the host, instead, there is a device-model with emulated hardware so the use-case, I think, it is still to run a whole OS instead of an app. By using ToroV, you can configure how much attack surface your host exposes to the app.