IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines
文献类型:期刊论文
| 作者 | Tang, Hongwei1,2,3; Li, Qiang2,3; Feng, Shengzhong1,3; Zhao, Xiaofang2,3; Jin, Yan2,3 |
| 刊名 | KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS
 |
| 出版日期 | 2016-12-31 |
| 卷号 | 10期号:12页码:5375-5400 |
| ISSN号 | 1976-7277 |
| 关键词 | IOMMU virtualization para-virtualization DMA security virtio simulated device |
| DOI | 10.3837/tiis.2016.12.014 |
| 英文摘要 | IOMMU is a hardware unit that is indispensable for DMA. Besides address translation and remapping, it also provides I/O virtual address space isolation among devices and memory access control on DMA transactions. However, currently commodity virtualization platforms lack of IOMMU virtualization, so that the virtual machines are vulnerable to DMA security threats. Previous works focus only on DMA security problem of directly assigned devices. Moreover, these solutions either introduce significant overhead or require modifications on the guest OS to optimize performance, and none can achieve high I/O efficiency and good compatibility with the guest OS simultaneously, which are both necessary for production environments. However, for simulated virtual devices the DMA security problem also exists, and previous works cannot solve this problem. The reason behind that is IOMMU circuits on the host do not work for this kind of devices as DMA operations of which are simulated by memory copy of CPU. Motivated by the above observations, we propose an IOMMU para-virtualization solution called PVIOMMU, which provides general functionalities especially DMA security guarantees for both directly assigned devices and simulated devices. The prototype of PVIOMMU is implemented in Qemu/KVM based on the virtio framework and can be dynamically loaded into guest kernel as a module, As a result, modifying and rebuilding guest kernel are not required. In addition, the device model of Qemu is revised to implement DMA access control by separating the device simulator from the address space of the guest virtual machine. Experimental evaluations on three kinds of network devices including Intel I210 (1Gbps), simulated E1000 (1Gbps) and IB ConnectX-3 (40Gbps) show that, PVIOMMU introduces little overhead on DMA transactions, and in general the network I/O performance is close to that in the native KVM implementation without IOMMU virtualization. |
| 资助项目 | National Natural Science Foundation of China (NSFC)[61402444] |
| WOS研究方向 | Computer Science ; Telecommunications |
| 语种 | 英语 |
| 出版者 | KSII-KOR SOC INTERNET INFORMATION |
| WOS记录号 | WOS:000396510000014 |
| 源URL | [http://119.78.100.204/handle/2XEOYT63/7306]  |
| 专题 | 中国科学院计算技术研究所期刊论文_英文 |
| 通讯作者 | Tang, Hongwei |
| 作者单位 | 1.Chinese Acad Sci, Shenzhen Inst Adv Technol, Shenzhen 518055, Peoples R China 2.Chinese Acad Sci, Inst Comp Technol, Beijing 100190, Peoples R China 3.Univ Chinese Acad Sci, Beijing 100049, Peoples R China |
| 推荐引用方式 GB/T 7714 | Tang, Hongwei,Li, Qiang,Feng, Shengzhong,et al. IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines[J]. KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS,2016,10(12):5375-5400. |
| APA | Tang, Hongwei,Li, Qiang,Feng, Shengzhong,Zhao, Xiaofang,&Jin, Yan.(2016).IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines.KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS,10(12),5375-5400. |
| MLA | Tang, Hongwei,et al."IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines".KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS 10.12(2016):5375-5400. |
入库方式: OAI收割
来源:计算技术研究所
浏览0
下载0
收藏0
其他版本
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。