<?xml version="1.0" encoding="UTF-8"?>
<chapter version="5.1" xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         xmlns:trans="http://docbook.org/ns/transclusion"
         xmlns:svg="http://www.w3.org/2000/svg"
         xmlns:m="http://www.w3.org/1998/Math/MathML"
         xmlns:html="http://www.w3.org/1999/xhtml"
         xmlns:db="http://docbook.org/ns/docbook">
  <?xxe-sn 26yv439af40 1k?>

  <title><?xxe-sn 26yv439af40 1l?>Virtualization</title>

  <para><?xxe-sn 26yv439af40 1m?>The chapter expands on a usage of context
  based polymorphism, in other words, reasoning over CFG, as a ground to
  implement <emphasis><?xxe-sn 26yv439af40 1n?>application level
  virtualization</emphasis>.</para>

  <para><?xxe-sn 26yv439af40 1o?>One way to approach virtualization problem is
  to model it in terms of satisfying constraints imposed by environment over
  agents that operate within it, as presented below:</para>

  <itemizedlist>
    <?xxe-sn 26yv439af40 1p?>

    <listitem>
      <?xxe-sn 26yv439af40 1q?>

      <para><?xxe-sn 26yv439af40 1r?><emphasis><?xxe-sn 26yv439af40 1s?>sizo</emphasis>
      (distorted abbreviation of SEcurity ZOne) — logical entity introduced to
      represent environment and describe desired virtualization
      outcome.</para>
    </listitem>

    <listitem>
      <?xxe-sn 26yv439af40 1t?>

      <para><?xxe-sn 26yv439af40 1u?><emphasis><?xxe-sn 26yv439af40 1v?>zek</emphasis>
      (distorted abbreviation of SEcurity aGent) — represents behaviour of the
      code in terms of virtualized resources access.</para>
    </listitem>
  </itemizedlist>

  <para><?xxe-sn 26yv439af40 1w?>Basic idea is to automatically reason over
  information defined by sizos and zeks and produce <emphasis><?xxe-sn 26yv439af40 1x?>virtualization
  plan</emphasis> as a solution that dictates which parts of code should be
  virtualized and how exactly. Such reasoning enables two features:</para>

  <itemizedlist>
    <?xxe-sn 26yv439af40 1y?>

    <listitem>
      <?xxe-sn 26yv439af40 1z?>

      <para><?xxe-sn 26yv439af40 20?>Optimization. Allows choosing
      virtualization technique with a least performance penalty nevertheless
      satisfying necessary requirements.</para>
    </listitem>

    <listitem>
      <?xxe-sn 26yv439af40 21?>

      <para><?xxe-sn 26yv439af40 22?>Safety. Validates manually chosen
      virtualization plan to be safe and sound by checking that it indeed
      satisfies requirements.</para>
    </listitem>
  </itemizedlist>

  <para><?xxe-sn 26yv439af40 23?>In other words, context based reasoning
  provides improvements by virtualizing only necessary sections of code, only
  for necessary type of resources and by employing as lightweight as possible
  virtualization strategy just enough to comply with safety and security
  requirements expressed by annotations in the code.</para>

  <section>
    <?xxe-sn 26yv439af40 24?>

    <title><?xxe-sn 26yv439af40 25?>Background</title>

    <para><?xxe-sn 26yv439af40 26?><emphasis><?xxe-sn 26yv439af40 27?>Virtualization</emphasis>
    refers to an abstracting code from underlying <emphasis><?xxe-sn 26yv439af40 28?>resources</emphasis>
    used by it. Here term resource depicts any external entity such as
    devices, files, network connections, etc, for which it is desirable to
    regulate access.</para>

    <para><?xxe-sn 26yv439af40 29?>Virtualization is a vast area and broad
    term that includes number of techniques on different levels to achieve
    several important goals such as:</para>

    <itemizedlist>
      <?xxe-sn 26yv439af40 2a?>

      <listitem>
        <?xxe-sn 26yv439af40 2b?>

        <para><?xxe-sn 26yv439af40 2c?>Shared access — to allow several
        clients use the same resource while behaving as if each client is the
        sole resource user simplifying development and testing.</para>
      </listitem>

      <listitem>
        <?xxe-sn 26yv439af40 2d?>

        <para><?xxe-sn 26yv439af40 2e?>Isolation — cornerstone of safety and
        behaviour repeatability achieved by minimizing influence of isolated
        clients between each other and external environment.</para>
      </listitem>

      <listitem>
        <?xxe-sn 26yv439af40 2f?>

        <para><?xxe-sn 26yv439af40 2g?>Adaptation — to allow client
        application work within an unexpected environment it was not developed
        for, by emulating "native" familiar environment thus reducing
        adaptation and support costs.</para>
      </listitem>
    </itemizedlist>

    <para><?xxe-sn 26yv439af40 2h?>Due to importance of goals achievable with
    virtualization, it is unavoidable in a long run. That being said, basic
    virtualization techniques have performance penalties arising from indirect
    and regulated access to underlying resources.</para>

    <para><?xxe-sn 26yv439af40 2i?>Further discussion is concerned with what
    can be done to alleviate major virtualization inefficiencies by
    fine-grained control over what, when, and how should be
    virtualized.</para>
  </section>

  <section>
    <?xxe-sn 26yv439af40 2j?>

    <title><?xxe-sn 26yv439af40 2k?>Access Control</title>

    <para><?xxe-sn 26yv439af40 2l?>Whole program can be broken down into one
    or more virtualization zones, each having different appropriate type of
    virtualization strategy. Such approach allows to model <emphasis><?xxe-sn 26yv439af40 2m?>hybrid
    virtualization</emphasis>, i.e. different parts of program are virtualized
    differently depending on some conditions. To capture this concept, term
    <emphasis><?xxe-sn 26yv439af40 2n?>sizo</emphasis> is introduced and
    refers to a logical entity that holds information about particular zone
    necessary to find best suited virtualization strategy.</para>

    <important>
      <?xxe-sn 26yv439af40 2o?>

      <para><?xxe-sn 26yv439af40 2p?>Sizo is associated with <link
      xlink:href="/w/concepts/context"><?xxe-sn 26yv439af40 2q?>context</link>,
      i.e. each zone spans over one or more code blocks.</para>
    </important>

    <para><?xxe-sn 26yv439af40 2r?>There is a annotation <code><?xxe-sn 26yv439af40 2s?>assign_sizo</code>
    to specify sizo a code block is assigned to:</para>

    <synopsis><?xxe-sn 26yv439af40 2t?>SYNTAX:
**assign_sizo**(//sizo-ref//).</synopsis>

    <itemizedlist>
      <?xxe-sn 26yv439af40 2u?>

      <listitem>
        <?xxe-sn 26yv439af40 2v?>

        <para><?xxe-sn 26yv439af40 2w?><emphasis><?xxe-sn 26yv439af40 2x?>sizo-ref</emphasis>
        unique sizo's identifier</para>
      </listitem>
    </itemizedlist>

    <para><?xxe-sn 26yv439af40 2y?>Next thing is to specify which resources a
    particular sizo controls access to, as below:</para>

    <synopsis><?xxe-sn 26yv439af40 2z?>SYNTAX:
**assign_sizo_control**(//resource-type//).</synopsis>

    <para><?xxe-sn 26yv439af40 30?>It indicates that current sizo(sizo that
    spans over code block the annotation located within) regulates all access
    to a resources of a given type <emphasis><?xxe-sn 26yv439af40 31?>resource-type</emphasis>.
    Conversely, If for a particular environment there is no need to control,
    for example, file system access, no virtualization for file operations is
    applied.</para>

    <para><?xxe-sn 26yv439af40 32?>On the other hand, there is an annotation
    to mark function that accesses one or another resource:</para>

    <synopsis><?xxe-sn 26yv439af40 33?>SYNTAX:
**assign_zek_access**(//resource-type//).</synopsis>

    <para><?xxe-sn 26yv439af40 34?>Let's consider an example to demonstrate
    all above:</para>

    <programlisting xml:id="AccControl_1"><?xxe-sn 26yv439af40 35?>name="tests/virtualization.cpp: Virtualization.Doc_AccControl_1", lines=15
import raw ("scripts/cfa/context.lp").                     //enable context reasoning
import raw ("scripts/virtualization/virtualization.lp").   //enable virtualization reasoning

guard:: strategy(direct)
{
  openFile = function(filename::string):: int
  {
    printf("direct file access")
  }
}

guard:: strategy(common)
{
  openFile = function(filename::string):: int; 
                                          assign_zek_access(files)
  {
    printf("virtualized file access")
  }
}

main = function:: int; entry 
{
  context::                               assign_sizo(zoneA);
                                          assign_sizo_control(files).
  openFile("/some/file") 
}</programlisting>

    <para><?xxe-sn 26yv439af40 36?>Example outlines dummy function
    <code><?xxe-sn 26yv439af40 37?>openFile</code> to model file system
    access. The function has two specializations with guards <code><?xxe-sn 26yv439af40 38?>strategy(direct)</code>
    to model direct access, and <code><?xxe-sn 26yv439af40 39?>strategy(common)</code>
    to be invoked if virtualization is enabled. It also annotated with
    <code><?xxe-sn 26yv439af40 3a?>assign_zek_access(files)</code> to indicate
    that it accesses file system. On the other hand, context of function
    <code><?xxe-sn 26yv439af40 3b?>main</code> defines sizo <code><?xxe-sn 26yv439af40 3c?>zoneA</code>
    and enables control over file operations.</para>

    <para><?xxe-sn 26yv439af40 3d?>Reasoning works with provided information
    and decides whether it is necessary to enable virtualization. In this
    case, the answer is yes for <code><?xxe-sn 26yv439af40 3e?>zoneA</code>,
    because of the fact that sizo controls file operations and there is
    actually function within the sizo that requires files access.
    Consequently, example outputs:<screen xml:id="Output_AccControl_1"><?xxe-sn 26yv439af40 3f?>virtualized file access</screen>confirming
    that specifically virtualized specialization of <code><?xxe-sn 26yv439af40 3g?>openFile</code>
    was invoked.</para>
  </section>

  <section>
    <?xxe-sn 26yv439af40 3h?>

    <title><?xxe-sn 26yv439af40 3i?>Isolation</title>

    <para><?xxe-sn 26yv439af40 3j?>As shown in the previous section, it is
    possible to enable(or disable) virtualization on per resource basis.
    However such functionality is limited in a sense that if several sizos
    allow access to the same resource they can interfere with each other.
    Thus, next step to consider is <emphasis><?xxe-sn 26yv439af40 3k?>isolation</emphasis>,
    i.e. zeks in different sizos should not have ability to access the same
    resource, but rather work with their own set of resources associated with
    particular sizo. As previously, following examples are focused on file
    operations as most ubiquitous type of resources.</para>

    <para><?xxe-sn 26yv439af40 3l?>One way to isolate file access is to
    associate unique file prefix with each sizo. If virtualization enabled,
    all filenames in the sizo are silently transformed on the fly by adding
    assigned prefix. This way, all the file operations from one sizo are
    confined within specific directory allocated solely for that particular
    sizo or simply have unique prefix if the same directory contains files
    belonging to a different sizos.</para>

    <programlisting xml:id="Isolation_1"><?xxe-sn 26yv439af40 3m?>name="tests/virtualization.cpp: Doc_Isolation_1", lines=15
main = function:: int; entry 
{
  seq
    { 
      context::             assign_sizo(domainA);
                            assign_sizo_control(files).
      openFile("test") 
    }
    {
      context::             assign_sizo(domainA).
      
      openFile("test")
    }
    { 
      context::             assign_sizo(domainB);
                            assign_sizo_control(files).
      openFile("test") 
    }
}</programlisting>

    <para><?xxe-sn 26yv439af40 3n?>In this example file <code><?xxe-sn 26yv439af40 3o?>test</code>
    is accessed from different sizos <code><?xxe-sn 26yv439af40 3p?>domainA</code>
    and <code><?xxe-sn 26yv439af40 3q?>domanB</code>. As there are several
    "competing" sizos are declared, they are isolated and <code><?xxe-sn 26yv439af40 3r?>openFile</code>
    resolves <code><?xxe-sn 26yv439af40 3s?>test</code> to a different
    filename depending on from which sizo it is called. One possible way to
    implement discussed strategy shown below:</para>

    <programlisting xml:id="Isolation_2"><?xxe-sn 26yv439af40 3t?>name="tests/virtualization.cpp: Doc_Isolation_1", lines=15
import raw ("scripts/cfa/context.lp").                              //enable context reasoning
import raw ("scripts/virtualization/virtualization.lp").            //enable virtualization reasoning
import raw ("scripts/virtualization/test-Isolation_1.assembly.lp"). //additional configuration

DictSizo = type slave dict_sizo.
Sizo = type slave virt_sizo.

guard:: strategy(direct)
{
  resolveFilename = function(filename:: string):: string; 
                                                  assign_zek_access(files)
  { 
    filename 
  }
}

guard:: strategy(prefix) 
{
  resolveFilename = function(filename:: string):: string; 
                                                  assign_zek_access(files)
  {
    dictSizo = intrinsic query("dict_sizo")::[DictSizo].
    sizoId = intrinsic query late("sizo_current"-&gt;sizoCurrent:: Sizo):: int; 
                                                                        demand(sizo)
    {
      loop fold(dictSizo-&gt;entry::DictSizo, 0-&gt;id):: int 
      {
        if(entry[0] == sizoCurrent):: int { entry[1] } else { id }
      }
    }.
    
    buf = "00"::string.
    seq
      { sprintf(buf, "%d/%s", sizoId, filename) }
      { buf }
  }
}

openFile = function(filename:: string):: int
{
  filenameReal = resolveFilename(filename):: string.
  printf("File opened: '%s'%c", filenameReal, 10)
}</programlisting>

    <para><?xxe-sn 26yv439af40 3u?>Example outputs:</para>

    <screen xml:id="Output_Isolation_1"><?xxe-sn 26yv439af40 3v?>File opened: '0/test'
File opened: '0/test'
File opened: '1/test'
</screen>

    <para><?xxe-sn 26yv439af40 3w?>In this example function <code><?xxe-sn 26yv439af40 3x?>openFile</code>
    calls <code><?xxe-sn 26yv439af40 3y?>resolveFilename</code> to find out
    real filename. It can be said, that <code><?xxe-sn 26yv439af40 3z?>resolveFilername</code>
    serves as <emphasis><?xxe-sn 26yv439af40 40?>hypervisor</emphasis>
    dereferencing file pseudonym into real filename. In order to do that,
    <code><?xxe-sn 26yv439af40 41?>resolveFilername</code> consists of two
    specializations: specialization <code><?xxe-sn 26yv439af40 42?>strategy(direct)</code>
    serves non virtualized environmentб leaving filename without any
    processing, and the other specialization <code><?xxe-sn 26yv439af40 43?>strategy(prefix)</code>
    implements resolving strategy by adding sizo-associated prefix to each
    file. More specifically, unique index is assigned to each sizo and
    <code><?xxe-sn 26yv439af40 44?>resolveFilename</code> uses the index as
    file name prefix.</para>

    <para><?xxe-sn 26yv439af40 45?>Resolution function <code><?xxe-sn 26yv439af40 46?>resolveFilename</code>
    has only one parameter <code><?xxe-sn 26yv439af40 47?>filename</code>,
    deriving required prefix from <emphasis><?xxe-sn 26yv439af40 48?>late
    context</emphasis> associated with particular sizo.</para>

    <important>
      <?xxe-sn 26yv439af40 49?>

      <para><?xxe-sn 26yv439af40 4a?>Client code has no way to influence
      resolving process and force to use unapproved prefix, thus accessing and
      interfering with files that belong to other sizos.</para>
    </important>
  </section>

  <section>
    <?xxe-sn 26yv439af40 4b?>

    <title><?xxe-sn 26yv439af40 4c?>Isolation Categories</title>

    <para><?xxe-sn 26yv439af40 4d?>Every optimization technique applicable
    only if some specific preconditions are met. Indeed, only general approach
    can handle general task. However, for practical instances there are always
    some improvements possible by tailoring to the particular use case
    specifics and subtle details. In other words, the more information
    available the more space for improvements is there. And first step on this
    road is the very ability to express and reason about such additional
    information.</para>

    <para><?xxe-sn 26yv439af40 4e?>As a demonstration, in order to improve
    reasoning to find out optimal virtualization strategy for particular use
    case, different <emphasis><?xxe-sn 26yv439af40 4f?>sizo
    categories</emphasis> can be introduced, as below:</para>

    <itemizedlist>
      <?xxe-sn 26yv439af40 4g?>

      <listitem>
        <?xxe-sn 26yv439af40 4h?>

        <para><?xxe-sn 26yv439af40 4i?><emphasis><?xxe-sn 26yv439af40 4j?>Inward
        Isolation</emphasis>. The category describes sizo that prohibits
        access from other sizos to its internal resources, but able to access
        external resources freely. For example, monitoring and supervision
        software may have been assigned this type of isolation — freely
        accesses subordinate zones but can't be influenced from the
        outside.</para>
      </listitem>

      <listitem>
        <?xxe-sn 26yv439af40 4k?>

        <para><?xxe-sn 26yv439af40 4l?><emphasis><?xxe-sn 26yv439af40 4m?>Outward
        isolation</emphasis>. The exact opposite of inward isolation. Allows
        access from external sizos but is only allowed to use its own internal
        resources, so no influence to the outside world is possible.
        Appropriate for various sandboxes and testing environments to run
        possibly insecure code.</para>
      </listitem>
    </itemizedlist>

    <para><?xxe-sn 26yv439af40 4n?>For file operations inward isolation may be
    implemented as virtualization strategy that requires from
    <emphasis><?xxe-sn 26yv439af40 4o?>other</emphasis> sizos compulsory usage
    of file prefixes so no other sizo can access internal data of inwardly
    isolated sizo. Conversely, outward isolation is compatible with strategy
    that assigns prefix for this very sizo, so it can in no way access any
    external data, being at the same time exposed to the outside world for any
    sizo that have permission to know unique assigned prefix able to access
    internal data of sizo in question. To put it simply, strategy for these
    types can be described with following points:</para>

    <itemizedlist>
      <?xxe-sn 26yv439af40 4p?>

      <listitem>
        <?xxe-sn 26yv439af40 4q?>

        <para><?xxe-sn 26yv439af40 4r?>Inward isolation — requires prefixes
        for other sizos.</para>
      </listitem>

      <listitem>
        <?xxe-sn 26yv439af40 4s?>

        <para><?xxe-sn 26yv439af40 4t?>Outward isolation — requires prefix for
        itself.</para>
      </listitem>
    </itemizedlist>

    <para><?xxe-sn 26yv439af40 4u?>There is an annotation introduced to
    declare category for the current sizo:</para>

    <synopsis><?xxe-sn 26yv439af40 4v?>SYNTAX:
**assign_sizo_category(inward)**.
**assign_sizo_category(outward)**.</synopsis>

    <para><?xxe-sn 26yv439af40 4w?>Consider the example below:</para>

    <programlisting xml:id="IsolationCat_1"><?xxe-sn 26yv439af40 4x?>name="tests/virtualization.cpp: Doc_IsolationCat_1", lines=15
test = function::         int; entry 
{
  seq
    { 
      context::           assign_sizo(zoneA);
                          assign_sizo_control(files);
                          assign_sizo_category(inward). 
      openFile("test1") 
    }
    { 
      context::           assign_sizo(zoneB);
                          assign_sizo_control(files);
                          assign_sizo_category(outward).
      openFile("test1") 
    }
}
</programlisting>

    <para><?xxe-sn 26yv439af40 4y?>There are two sizos declared in the code
    above. Using reasoning apparatus developed in previous sections, both
    sizos activate virtualization, for both of them control file resources and
    both contain <code><?xxe-sn 26yv439af40 4z?>openFile</code> that actually
    requires file access. However, this time additional bits of information
    are available, namely <code><?xxe-sn 26yv439af40 50?>zoneA</code> and
    <code><?xxe-sn 26yv439af40 51?>zoneB</code> declared as inward and
    outward, respectively. By strategy outlines above, <code><?xxe-sn 26yv439af40 52?>zoneA</code>
    enables prefix based isolation strategy for <code><?xxe-sn 26yv439af40 53?>zoneB</code>,
    and <code><?xxe-sn 26yv439af40 54?>zoneB</code> enables isolation for
    itself as well. As a result, it's enough to virtualize only one
    zone(<code><?xxe-sn 26yv439af40 55?>zoneB</code>) leaving <code><?xxe-sn 26yv439af40 56?>zoneA</code>
    to enjoy direct access to file resources. Example output's is shown below,
    confirming that direct file access is granted for <code><?xxe-sn 26yv439af40 57?>zoneA</code>:</para>

    <screen xml:id="Output_IsolationCat_1"><?xxe-sn 26yv439af40 58?>File opened: 'test1'
File opened: '1/test1'
</screen>
  </section>
</chapter>
<?xxe-revisions
#1 2018-12-18T13:45:06Z pgess
?>