TY - GEN
T1 - A Hardware/Software Approach for Mitigating Performance Interference Effects in Virtualized Environments Using SR-IOV
AU - Richter, Andre
AU - Herber, Christian
AU - Wallentowitz, Stefan
AU - Wild, Thomas
AU - Herkersdorf, Andreas
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/8/19
Y1 - 2015/8/19
N2 - Single Root I/O Virtualization (SR-IOV) is an extension to the PCI Express (PCIe) standard that allows virtual machines (VMs) to directly access shared I/O devices without host involvement. This enabled SR-IOV to become the best-performing solution for virtual I/O to date, which lead to its commercial adoption, e.g., In the Amazon EC2. On the downside, a malicious VM can exploit the direct access to an SR-IOV device by flooding it with PCIe packets. This results in a congestion on the PCIe interconnect, which leads to performance interference effects between the malicious VM, concurrent VMs and even the host. In this paper, we present a hardware/software approach that detects and mitigates such Denial-of-Service (DoS) attacks. On the hardware side, we propose monitoring extensions within SR-IOV devices that distinguish legal device use from malicious device use by observing the rate of incoming PCIe transactions at VM granularity. Malicious VMs are reported to the host via interrupts. On the software side, performance interference effects can then be mitigated by dynamically adjusting the host's scheduling of the malicious VM or even shutting it down. We implement a prototype with a commercial off-the-shelf SR-IOV Ethernet controller and an FPGA board. On it, we demonstrate that appropriate scheduling of malicious VMs successfully mitigates interference effects for three cloud-relevant benchmarks. For example, Memcached is restored to 99.4% of baseline performance (compared to 61.8% without our extensions). In contrast to QoS features proposed in the PCIe 3.0 standard, our solution is more flexible. Additionally, it can be realized as an add-on to existing misuse detection hardware like the Intel Malicious Driver Detection (MDD).
AB - Single Root I/O Virtualization (SR-IOV) is an extension to the PCI Express (PCIe) standard that allows virtual machines (VMs) to directly access shared I/O devices without host involvement. This enabled SR-IOV to become the best-performing solution for virtual I/O to date, which lead to its commercial adoption, e.g., In the Amazon EC2. On the downside, a malicious VM can exploit the direct access to an SR-IOV device by flooding it with PCIe packets. This results in a congestion on the PCIe interconnect, which leads to performance interference effects between the malicious VM, concurrent VMs and even the host. In this paper, we present a hardware/software approach that detects and mitigates such Denial-of-Service (DoS) attacks. On the hardware side, we propose monitoring extensions within SR-IOV devices that distinguish legal device use from malicious device use by observing the rate of incoming PCIe transactions at VM granularity. Malicious VMs are reported to the host via interrupts. On the software side, performance interference effects can then be mitigated by dynamically adjusting the host's scheduling of the malicious VM or even shutting it down. We implement a prototype with a commercial off-the-shelf SR-IOV Ethernet controller and an FPGA board. On it, we demonstrate that appropriate scheduling of malicious VMs successfully mitigates interference effects for three cloud-relevant benchmarks. For example, Memcached is restored to 99.4% of baseline performance (compared to 61.8% without our extensions). In contrast to QoS features proposed in the PCIe 3.0 standard, our solution is more flexible. Additionally, it can be realized as an add-on to existing misuse detection hardware like the Intel Malicious Driver Detection (MDD).
KW - Performance Interference
KW - SR-IOV
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=84960171947&partnerID=8YFLogxK
U2 - 10.1109/CLOUD.2015.129
DO - 10.1109/CLOUD.2015.129
M3 - Conference contribution
AN - SCOPUS:84960171947
T3 - Proceedings - 2015 IEEE 8th International Conference on Cloud Computing, CLOUD 2015
SP - 950
EP - 957
BT - Proceedings - 2015 IEEE 8th International Conference on Cloud Computing, CLOUD 2015
A2 - Pu, Calton
A2 - Mohindra, Ajay
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 8th IEEE International Conference on Cloud Computing, CLOUD 2015
Y2 - 27 June 2015 through 2 July 2015
ER -