David Kleidermacher is chief technology officer at Green Hills Software where he has been responsible for operating system and virtualization technology over the past decade. David can be contacted at davek at ghs.com.
Vrtualization was first introduced in mainframes during the 1960s and 1970s. Although it remained a largely untapped facility during the 1980s and 1990s, computer scientists have long understood many of the applications of virtualization, including the ability to run distinct and legacy operating systems on a single hardware platform.
At the start of the millennium, VMware proved the practicality of full system virtualization, hosting unmodified, general purpose, "guest" operating systems such as Windows on common Intel architecture-based hardware platforms. In 2005, Intel launched Intel Virtualization Technology (Intel VT), which both simplified and accelerated virtualization. Consequently, a number of virtualization software products have emerged, alternatively called "virtual machine monitors" or "hypervisors", with varying characteristics and goals.
While Intel VT may be best known for its application in data center server consolidation and provisioning, Intel VT has proliferated across desktop- and laptop-class chipsets, and has most recently found its way into Intel Atom processors, built for low power and designed for embedded and mobile applications.
The availability of Intel VT across such a wide range of computing platforms provides developers and technologists with the ultimate open platform: the ability to run any flavor of operating system in any combination, creating an unprecedented flexibility for deployment and usage. This article introduces some of these emerging uses, with an emphasis on the latest platforms enabled with Intel VT: embedded and mobile. Because embedded and mobile platforms often have resource and security constraints that differ drastically from enterprise computing platforms, we focus in this article on the impact of hypervisor architecture upon these constraints.
Applications of System Virtualization
Mainframe virtualization was driven by some of the same applications found in today's enterprise systems. Initially, virtualization was used for time sharing, similar to the improved hardware utilization driving modern data center server consolidation. Another important usage involved testing and exploring new operating system architectures. Virtualization was also used to maintain backward compatibility of legacy versions of operating systems.
Implicit in the concept of consolidation is the premise that independent virtual machines are kept securely separated from each other. The ability to guarantee separation is highly dependent upon the robustness of the underlying hypervisor software. Researchers have found flaws in commercial hypervisors that violate this separation assumption. Nevertheless, an important theoretical application of virtual machine compartmentalization is to "sandbox" software that is not trusted. For example, a web browser connected to the Internet can be sandboxed in a virtual machine so that Internet-borne malware or browser vulnerabilities are unable to infiltrate or otherwise adversely impact the user's primary operating system environment.
Virtual Security Appliances
Another example, the virtual security appliance, does the opposite: sandbox trusted software away from the user's operating system environment. Consider anti-virus software that runs on a Mobile Internet Device (MID). A few years ago, the "Metal Gear" Symbian Trojan was able to propagate itself by disabling the mobile device's anti-malware software.  Virtualization can solve this problem by placing the anti-malware software into a separate virtual machine, as in Figure 1. The virtual appliance can analyze data going into and out of the user's environment or hook into the user's operating system for demand-driven processing.