Popek and Goldberg virtualization requirements
The Popek and Goldberg virtualization requirements are a set of formal criteria established in 1974 to determine whether a third-generation computer architecture can efficiently support virtualization, enabling the creation of virtual machines that closely emulate the underlying hardware with minimal performance overhead.[1] These requirements, developed by Gerald J. Popek and Robert P. Goldberg, focus on the behavior of processor instructions under a virtual machine monitor (VMM), which is software that generates an isolated, resource-controlled duplicate of the real machine while ensuring identical functionality and only minor speed degradation.[2] In their seminal paper, Popek and Goldberg model a typical third-generation architecture featuring supervisor and user modes, a relocation-bounds register for memory protection, and trap mechanisms for handling invalid operations.[1] They classify instructions into three categories to analyze virtualization feasibility: The core of their framework is encapsulated in two key theorems. Theorem 1 states that a VMM for a given architecture is possible if and only if every sensitive instruction is privileged, ensuring that the VMM can trap and emulate all operations affecting control or resources without compromising isolation or efficiency.[1] Theorem 2 extends this to recursive virtualization, positing that such a capability exists if the architecture is virtualizable and admits a timing-independent VMM, allowing virtual machines to themselves host VMMs.[1] These requirements have profoundly influenced the design of virtualizable systems, highlighting why architectures like the IBM System/370 satisfy them while others, such as the VAX, require additional techniques like binary translation for practical virtualization.[1]Background and Definitions
Historical Context
Virtualization concepts originated in the 1960s with IBM's development of the CP-40 system, a research project launched in 1964 to enable time-sharing on the IBM System/360 mainframe.[3] This initiative addressed the growing demand for efficient resource utilization in computing environments by allowing multiple users to interact with the system as if each had dedicated access.[4] CP-40 laid the groundwork for virtual machines, simulating independent computing environments on shared hardware.[3] Building on CP-40, IBM released CP-67 in May 1966 for the System/360 Model 67, which incorporated virtual memory and matured the concept of virtual machines into a practical system for time-sharing.[4] CP-67 enabled the secure execution of multiple operating system instances on a single physical machine, isolating workloads to prevent failures in one from impacting others and supporting diverse applications like OS/360 testing.[4] This approach highlighted the essential role of a Virtual Machine Monitor (VMM) as a software layer overseeing resource allocation and enforcement of isolation.[4] The success of systems like CP-67 contrasted with challenges in other third-generation architectures, such as the DEC PDP-10, where empirical attempts revealed that software-based virtualization incurred substantial performance penalties due to the need for extensive emulation and intervention.[2] These inefficiencies motivated a shift toward hardware-assisted mechanisms to minimize overhead while maintaining security and isolation for multiple OS instances.[2] In response, Gerald J. Popek and Robert P. Goldberg published their seminal paper, "Formal Requirements for Virtualizable Third Generation Architectures," in the July 1974 issue of Communications of the ACM (Volume 17, Issue 7, pages 412–421).[2] The work aimed to provide precise criteria for evaluating whether a computer's architecture could support efficient virtual machine systems without relying on cumbersome software techniques.[2]Virtual Machine Monitor Definition
A Virtual Machine Monitor (VMM), also known as a hypervisor, is a software layer that creates and manages virtual machines (VMs) by providing an efficient, isolated duplicate of the real computer system.[2] This setup allows multiple guest operating systems to run concurrently on the underlying hardware, each perceiving a complete and independent machine environment.[2] The concept emerged from early developments in the 1960s, where systems like the IBM CP-40 demonstrated the feasibility of such monitors for multiprogramming.[2] The VMM exhibits three essential properties as defined in the foundational framework: equivalence, resource control, and efficiency. Equivalence ensures that any program executed within a VM produces effects identical to those on the bare hardware, barring differences in timing or resource availability.[2] Resource control grants the VMM sole authority over hardware allocation, preventing any guest from accessing unassigned resources and enabling secure partitioning among VMs.[2] Efficiency requires that a substantial portion of the VM's instructions—those not requiring intervention—execute directly on the physical processor without VMM overhead, minimizing performance degradation.[2] VMMs are classified into Type 1 (bare-metal) and Type 2 (hosted) variants. Type 1 VMMs run directly on the host hardware, exerting full control without an intermediary operating system, which aligns with the Popek and Goldberg emphasis on architectures supporting efficient, direct hardware virtualization.[2] In contrast, Type 2 VMMs operate atop a host OS, introducing additional layers that may compromise isolation and performance. By trapping and emulating sensitive operations, the VMM enforces isolation, protecting guest operating systems from interfering with one another or the underlying hardware, thereby maintaining system integrity and security.[2]Core Theoretical Framework
Virtualization Theorems
The Popek and Goldberg virtualization requirements are encapsulated in two fundamental theorems that establish the conditions under which an instruction set architecture (ISA) can support efficient virtual machine implementation via a virtual machine monitor (VMM). These theorems, introduced in their seminal 1974 paper, focus on the behavior of instructions in user mode versus supervisor mode, ensuring that the VMM can maintain control and resource isolation without excessive overhead. Central to both theorems are the concepts of sensitive instructions and privileged instructions. Sensitive instructions are those whose execution could affect the integrity of the VMM or the allocation of processor resources to virtual machines, such as operations that modify control registers or access protected memory. Privileged instructions, in contrast, are those that either change the processor's execution mode (e.g., from user to supervisor) or access resources restricted to supervisor mode, typically resulting in a trap if attempted in user mode.[2] The first theorem, often associated with trap-based virtualization, asserts that a conventional product VMM—capable of hosting multiple virtual machines with near-native performance—can be constructed for an ISA if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. Formally, it states: For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. This condition ensures that any attempt by a guest operating system to execute a sensitive operation automatically transfers control to the VMM, allowing it to intervene, validate the request, and emulate or execute the instruction as needed without compromising security or efficiency. If this holds, the VMM achieves the properties of equivalence (virtual machines behave indistinguishably from physical machines) and efficiency (non-sensitive instructions execute directly without VMM involvement).[2] The second theorem addresses recursive virtualization. It states that a conventional third generation computer is recursively virtualizable if it is virtualizable and a virtual machine monitor without any timing dependencies may be constructed for that computer. This allows a virtual machine to host its own VMM, enabling nested virtualization layers.[2] This framework has profoundly influenced the design of virtualizable architectures, guiding evaluations of systems from mainframes to modern processors.[2]Instruction Classification
In the Popek and Goldberg model, instructions are classified into three categories—privileged, sensitive, and innocuous—based on their behavior relative to the processor's mode (user or supervisor) and their potential impact on system resources or state. This classification forms the foundation for determining whether an architecture supports efficient virtualization by ensuring that the virtual machine monitor (VMM) can maintain control and isolation. Privileged instructions are those that cause a trap when executed in user mode but do not trap in supervisor mode and do not induce memory traps; they typically involve operations that directly affect the processor's control state, such as mode switches. Sensitive instructions, which may or may not be privileged, are further subdivided into control-sensitive (those that modify the processor mode or resource allocation) and behavior-sensitive (those whose execution or outcome depends on the current mode or relocation registers, potentially leading to inconsistencies in a virtualized environment). Innocuous instructions, by contrast, exhibit identical behavior regardless of mode and have no side effects that could compromise the VMM or leak host state; examples include basic arithmetic operations that operate solely on registers without accessing memory or I/O.[2] The process of classification involves systematically analyzing each instruction in the instruction set for its effects as a function of the machine's state, particularly focusing on whether it references or alters virtualized resources like memory relocation or I/O ports. Formal criteria are applied to assess trapping behavior: for instance, an instruction is evaluated to determine if its acceptance or result varies with supervisor privileges or if it could allow a guest to infer host configuration. This analysis ensures that only innocuous instructions execute directly on the host hardware without VMM intervention, while others are flagged for potential handling. Such categorization is derived directly from the abstract model of third-generation architectures, emphasizing behaviors that could undermine guest equivalence or host security.[2] In VMM design, this classification plays a pivotal role by dictating which instructions require trapping to the VMM for emulation or simulation to preserve the illusion of a standard machine for the guest. Privileged and sensitive instructions must be intercepted to prevent unauthorized access to host resources, thereby upholding the efficiency and correctness of the virtualization layer. For example, a sensitive instruction involving generic I/O might need VMM mediation to virtualize device access without exposing host peripherals. This approach operationalizes the model's theorems, particularly by requiring that the set of sensitive instructions be a subset of privileged ones to enable a trap-based VMM without excessive emulation overhead.[2]Implementation Approaches
Trap-Based Virtualization
Trap-based virtualization, as defined in the Popek and Goldberg framework, relies on hardware mechanisms to ensure that sensitive instructions executed by a guest virtual machine (VM) are intercepted and mediated by the virtual machine monitor (VMM). In this approach, when a guest operating system or application attempts to execute a sensitive instruction while running in user mode, the processor's protection mechanisms trigger an exception or trap, transferring control to the VMM operating in supervisor mode. The VMM then inspects the instruction, determines its intent, emulates its effects if necessary to maintain isolation and security, and resumes execution of the guest VM. This process ensures transparent virtualization without the guest being aware of the underlying mediation.[2] The flow of operations in trap-based virtualization follows a structured sequence: the guest VM issues a sensitive instruction, which causes an immediate trap due to its privileged nature; control is handed to the VMM's dispatcher routine; the VMM validates the instruction's legitimacy, simulates any required state changes (such as resource allocation or mode transitions) within the guest's virtualized environment, and finally returns control to the guest at the point following the trapped instruction. This interception mechanism is contingent on the architecture satisfying the conditions of Theorem 1 from Popek and Goldberg, which stipulates that every sensitive instruction must be privileged. Sensitive instructions are those that either alter the processor mode or affect resource allocation in a way that could compromise the VMM's control—such as control-sensitive instructions that modify addressing or interrupt handling, or behavior-sensitive instructions whose outcomes depend on privileged state. By requiring all such instructions to trap when executed in user mode, the theorem guarantees that the VMM retains authority over critical operations, preventing direct hardware access by the guest. For architectures where the set of sensitive instructions is a subset of the privileged instructions, trap-based virtualization is feasible. The framework ensures efficiency, as all innocuous instructions—those neither sensitive nor privileged—execute directly on the underlying hardware without any VMM intervention or trapping.[2] Trap-based virtualization offers significant advantages in efficiency and performance for architectures satisfying Theorem 1. The majority of non-sensitive instructions execute natively on the hardware without VMM intervention, minimizing overhead and allowing VMs to operate at near-native speeds for routine computations. This approach provides a secure, identical virtual environment to multiple guest VMs, enabling effective resource sharing while the VMM maintains isolation through selective trapping. Overall, it supports efficient multiplexing of the physical machine among competing VMs with minimal distortion to the guest's perceived system behavior.[2]Emulation-Based Virtualization
Emulation-based virtualization addresses instruction set architectures (ISAs) that violate Theorem 1 in the Popek and Goldberg framework, where sensitive instructions are not a subset of privileged instructions and thus fail to trap automatically to the virtual machine monitor (VMM). In such cases, the original framework proposes a hybrid virtual machine monitor (HVM), which interprets all instructions executed in virtual supervisor mode to simulate sensitive operations, provided that user-sensitive instructions are privileged (as per their Theorem 3). This enables the VMM to maintain control and resource isolation despite architectural limitations.[2] Later techniques extend this approach for full virtualization on non-virtualizable architectures, involving the VMM intercepting sensitive but unprivileged instructions through methods such as binary translation or dynamic code rewriting. Binary translation scans and modifies guest code blocks, replacing problematic instructions with equivalent sequences that either trap to the VMM for emulation or directly achieve the desired effect in the virtual environment. Dynamic rewriting similarly alters the instruction stream on-the-fly to simulate outcomes like mode changes or resource accesses without altering the guest's perceived behavior. These methods ensure that the VMM can emulate the instruction's impact while preserving the illusion of direct hardware execution for the guest operating system.[5] A key challenge in this approach is the elevated overhead from software-based emulation, as each intercepted instruction requires VMM processing, potentially slowing execution compared to native hardware operation. Additionally, the VMM must meticulously track and update the guest's internal state—such as simulated privilege modes or registers—to avoid inconsistencies that could compromise security or correctness. Accurate state maintenance is critical, as errors in emulation could expose host resources or disrupt guest functionality.[6] The Popek and Goldberg framework supports efficiency in such systems by allowing all innocuous instructions—those neither sensitive nor privileged—to execute directly on the underlying hardware without any VMM intervention or trapping. This condition ensures that only a minority of instructions necessitate emulation, allowing the statistically dominant portion of the guest's workload to run at near-native speeds and reducing the overall performance penalty.[2] Practical techniques often combine partial emulation, targeting only violative sensitive instructions for software simulation while leveraging traps for privileged ones, with specialized handling for common operations. For instance, shadow page tables provide an emulation strategy for memory management: the VMM maintains a duplicate set of page tables that map guest virtual addresses directly to host physical addresses, intercepting and translating guest page table updates to keep the shadow structure synchronized without full hardware virtualization support. This hybrid use of emulation and trapping optimizes resource handling in imperfect ISAs.[6]Architectural Analysis
Early Mainframe Architectures
Early mainframe architectures from the late 1960s and early 1970s, such as the DEC PDP-10 and IBM System/370, played a pivotal role in testing and validating the Popek and Goldberg virtualization theorems by demonstrating both successes and limitations in supporting virtual machine monitors (VMMs). The PDP-10, a 36-bit word-addressable system, exemplifies an architecture that fails the primary virtualization theorem, which requires all sensitive instructions to be privileged. Sensitive instructions are those that can alter system control or resource allocation, such as control-sensitive operations affecting processor mode or behavior-sensitive ones impacting memory protection. In the PDP-10, instructions like JRST 1—used to jump and restore to user mode—are control-sensitive because they can change the processor state without trapping, yet they execute in user mode without privilege checks, allowing a guest OS to bypass the VMM. However, all user-sensitive instructions on the PDP-10 are privileged, enabling a hybrid VMM (HVMM) where the monitor runs in user mode and emulates executive-mode instructions, including the problematic sensitive ones, to achieve near-equivalence in behavior. Memory protection operations, such as SETM (set memory bounds) and SETPB (set page bounds), are classified as privileged, trapping appropriately to the VMM for resource control in hybrid setups.[7][8] In contrast, the IBM System/370 architecture satisfies the Popek and Goldberg requirements for full Type I virtualization, as all sensitive instructions are privileged, ensuring that attempts to execute them in user mode trap to the VMM without emulation overhead for the majority of the instruction set. This design allows trap-based VMMs like VM/370 to run unmodified guest operating systems with high efficiency, maintaining the three essential VMM properties: equivalence (guest behavior matches native execution), resource control (VMM manages all physical resources), and efficiency (most instructions execute directly on hardware). For instance, channel-based I/O instructions, such as SIO (Start I/O) for initiating data transfer via control units, are sensitive due to their impact on peripheral resource allocation but are privileged, trapping to the VMM for interception and emulation as needed to prevent guest interference. While the original theorems abstract away detailed I/O modeling, the System/370's handling of such instructions aligns with the resource control lemma, requiring the VMM to mediate access to devices like tape drives or printers. Later enhancements like PR/SM (Processor Resource/System Manager) built on this foundation, providing hardware-assisted logical partitioning for multiple isolated environments, further leveraging the virtualizable ISA.[7][9] These early mainframes demonstrated the practical viability of virtualization concepts well before the rise of microprocessor-based systems like x86 in the late 1970s. The System/370's adherence to the theorems enabled pioneering VMM implementations, such as CP-67 on the predecessor System/360 Model 67 and its evolution into VM/370, which supported concurrent execution of multiple OS instances for time-sharing and testing, influencing subsequent designs. The PDP-10's hybrid approach, though not fully trap-based, highlighted the need for emulation in non-virtualizable architectures and inspired refinements like the secondary virtualization theorem, which relaxes conditions for supervisor-sensitive instructions. Together, they validated the theorems' utility in classifying architectures and guiding VMM development during the third-generation computing era.[10][7]32-Bit Microprocessor Architectures
The Motorola MC68000, a seminal 32-bit microprocessor introduced in 1979, demonstrates limited compatibility with the Popek and Goldberg virtualization requirements due to its handling of sensitive instructions. Specifically, the architecture includes an unprivileged sensitive instruction, MOVE from SR, which permits user-mode execution to read the full status register, including supervisor mode bits, interrupt levels, and trace controls, thereby allowing a guest operating system to potentially detect the presence of a virtual machine monitor (VMM). This violation of the requirement that all sensitive instructions be privileged necessitates software emulation of the instruction to maintain isolation, as hardware trapping cannot be relied upon for interception. Consequently, virtualization on the MC68000 demands full CPU emulation rather than efficient trap-and-emulate mechanisms, increasing overhead for virtual machine implementations. In contexts involving emulated address translation—since the base MC68000 lacks a memory management unit (MMU)—additional sensitive operations related to mode switching and resource allocation further complicate direct virtualization, reinforcing the need for comprehensive software intervention. The successor MC68010 addressed this by making MOVE from SR privileged and introducing MOVE from CCR for user-accessible condition codes only, but the original design's flaws underscored early challenges in microprocessor virtualization support. The IA-32 architecture, commonly known as x86 and originating from the Intel 80386 in 1985, is categorized as a Type II instruction set architecture (ISA) under the Popek and Goldberg classification, featuring multiple sensitive unprivileged instructions that preclude classical trap-based virtualization. Notable examples include POPF, which alters system flags such as the interrupt enable flag (IF) without generating a trap in user mode, and SIDT, which discloses the interrupt descriptor table's physical address, enabling guest code to infer host configuration. In contrast, instructions like HLT, which halts the processor, are privileged and thus trap appropriately to the VMM. These unprivileged violators, totaling around 17 in the Pentium-era IA-32, arise from design choices prioritizing backward compatibility and complex addressing in the CISC paradigm. To overcome these limitations, early virtualization solutions such as VMware employed binary translation techniques to dynamically rewrite non-virtualizable guest instructions, avoiding excessive trapping and enabling unmodified x86 operating systems to run efficiently under a VMM. The inherent complexity of x86's segmented memory model and evolving feature set perpetuated the need for such software-based "hacks," distinguishing 32-bit microprocessors from more virtualization-friendly mainframe designs and influencing subsequent architectural evolutions.Modern 64-Bit Architectures
Modern 64-bit architectures have incorporated design principles that more directly align with the Popek and Goldberg virtualization requirements, enabling efficient trap-based virtual machine monitors (VMMs) through enhanced privilege mechanisms and hardware support for sensitive operations. The IA-64 architecture (Itanium), co-developed by Intel and HP, was explicitly designed with virtualization in mind, featuring four privilege levels (PL0 to PL3) that facilitate ring compression: the VMM operates at PL0, the guest OS at PL1, and applications at PL3. This structure ensures that all sensitive instructions—those affecting system resources like protection registers (e.g., region registers for memory isolation) and processor status—are privileged relative to the guest's privilege level, causing them to trap to the VMM without behavioral changes across rings. Consequently, IA-64 supports native trap-based virtualization, minimizing emulation overhead and satisfying the theorems' conditions for equivalence and safety.[11][12] The SPARC architecture, in its versions 8 and 9, satisfies the Popek and Goldberg criteria for classical virtualization, with most sensitive instructions (e.g., those accessing ancillary system registers or address space identifiers) classified as privileged and trapping appropriately in non-supervisor modes. The Total Store Order (TSO) memory model simplifies virtualization by ensuring sequential consistency for loads and stores, reducing the complexity of emulating memory operations across guest and host contexts. However, certain trap-handling instructions and window management operations require emulation in a full VMM to maintain equivalence, as they exhibit ring-dependent behavior. Extensions in UltraSPARC implementations, such as improved trap prioritization and hypervisor-specific modes, enhance efficiency by reducing the frequency of emulations and supporting nested trapping for better isolation.[13] PowerPC Book E variants, targeted at embedded systems, achieve full virtualizability by designating sensitive instructions—including TLB management operations liketlbwe (TLB write entry)—as privileged, ensuring they trap to the hypervisor when executed in guest mode. This design contrasts with earlier 32-bit PowerPC issues, where unprivileged access to certain control registers necessitated extensive binary translation; in Book E, privilege checks enable direct execution of non-sensitive code while trapping others for emulation or paravirtualization. Such features underpin systems like PowerVM, which leverages these traps for efficient resource partitioning without compromising performance.[14]
Recent hardware virtualization extensions in 64-bit architectures retroactively fulfill Popek and Goldberg requirements even for previously challenging designs; for instance, Intel's VT-i for IA-64 and analogous VT-x for x86-64 introduce virtual machine control structures that enforce trapping on all sensitive operations, allowing transparent VMM operation.[12]