After receiving an abundance of requests to complete the EPT series I’ve switched gears to write this 5 part series over MMU Virtualization using Intel EPT. This series is written to be able to be used in your own hypervisor project or in conjunction with the CPU virtualization series published a few months prior. I will be referencing things within the previous project since the majority of readers will be following along, however, implementation will be relatively similar across all type-2 hypervisor projects. This is only meant for those running on Intel processors with the virtualization technology features available. The goal of this series is to allow the reader to learn the technical details of paging, extended page tables, the various translation mechanisms, and how to leverage those in their virtualization projects.
At the end of the series the reader will have a working EPT base, and should be able to design and implement their own EPT infrastructure in their future projects. All concepts for each article, their importance, the references to more detailed information, and otherwise will be linked through just like any other of my blog posts followed by a recommended reading section at the end should your thirst for details and knowledge not be satisfied. There will also be required reading to fully understand certain mechanisms used in VMX address translation.
Note: This series is not meant for those interested in writing a hypervisor for AMD processors, however, it may offer good technical information to help when the AMD series is published. This hypervisor will be written for Intel x86-64 (64-bit) using C.
- Part 1 – Technical Details
- This part will introduce readers to the various sub-topics surrounding extended page tables. It will cover the motivation for Intel EPT, mechanisms to aid address translation, performance concerns, and an introduction to various caching components that are referenced often when learning about paging and paging structures.
- Part 2 – Structure Definitions and Initialization
- In this article the reader will get pre-fabricated structures and all the details regarding their purpose. These structures will be used in the main EPT implementation in this series. This article will also detail the initialization and passthrough procedures needed for EPT to function properly under VMX. At the end of this article the reader will have EPT ready to run in their hypervisor.
- Part 3 – EPT Violations and Virtualization Exceptions
- The third part describes the various EPT-induced VM-exits and how to handle them. The reader will write handlers and learn about the different types of misconfigurations, violations, and exceptions associated with Intel EPT.
- Part 4 – Implementation and Testing
- This article will start with implementing the EPT initialization functions into the existing project from the CPU virtualization series followed by a test run to ensure EPT is running properly, and purposely generating violations to ensure we’re hitting proper handlers.
- Part 5 – EPTP Switching and Page Hooks
- As a bonus I’ve added this part since a good portion of readers are interested in security research. The usage of EPTP switching and page hooks can be used to hide information, hook otherwise protected functions, or protect information from being queried by an unwanted party. One example in this part will be used to show a hook on a Windows kernel function that will spoof the code integrity information when queried. The other example will prevent an application from getting any useful information when attempting to view the contents of a protected applications address space.
As an aside, prior to any post for this series it is strongly recommended that if you intend to be proficient and knowledgeable on the subject of virtualization and the microarchitecture in general that you read the recommended reading, all of it – and take notes and put the knowledge into practice. This will be repeated every post, and pushed in your face because details matter. Other supplemental reading in each article will be based on content of that day, you may find some tweets, blogs, or gists from other hypervisor authors. All will be credited when used!
I’d also like to thank Aidan Khoury for his helpful insights while working on various projects. A lot of neat tricks have been passed down to me from him that I look forward to sharing with the readers.
Thank you again for your interest and I hope you learn something new and valuable in this series.
I hope you enjoy the series! Leave me feedback, questions, comments, or recommendations in the comment section or contact me on twitter.