TY - GEN
T1 - Performance isolation exposure in virtualized platforms with PCI passthrough I/O sharing
AU - Richter, Andre
AU - Herber, Christian
AU - Rauchfuss, Holm
AU - Wild, Thomas
AU - Herkersdorf, Andreas
PY - 2014
Y1 - 2014
N2 - PCI Passthrough is an x86 virtualization technology that enables low overhead, high performance I/O virtualization. It is an established technology in server and cloud computing environments and a promising technology for sharing I/O devices in future Cyber Physical Systems that consolidate mixed-criticality applications on multi-core CPUs. In this paper, we show that current implementations of x86 PCI Passthrough are prone to Denial-of-Service attacks. We demonstrate that attacks can be launched from within Virtual Machine environments and affect the performance of every I/O device on the interconnect. This means that malicious or malfunctioning applications inside Virtual Machines can impair the I/O performance of co-residential Virtual Machines. For example, attacking an SR-IOV capable Gigabit Ethernet NIC causes its TCP throughput to drop by 326 Mbit/s; latencies for reading 32 bit words from the NIC increase by over 650%. We investigate which hardware parameters influence the impact of such attacks and introduce three protection approaches.
AB - PCI Passthrough is an x86 virtualization technology that enables low overhead, high performance I/O virtualization. It is an established technology in server and cloud computing environments and a promising technology for sharing I/O devices in future Cyber Physical Systems that consolidate mixed-criticality applications on multi-core CPUs. In this paper, we show that current implementations of x86 PCI Passthrough are prone to Denial-of-Service attacks. We demonstrate that attacks can be launched from within Virtual Machine environments and affect the performance of every I/O device on the interconnect. This means that malicious or malfunctioning applications inside Virtual Machines can impair the I/O performance of co-residential Virtual Machines. For example, attacking an SR-IOV capable Gigabit Ethernet NIC causes its TCP throughput to drop by 326 Mbit/s; latencies for reading 32 bit words from the NIC increase by over 650%. We investigate which hardware parameters influence the impact of such attacks and introduce three protection approaches.
KW - Passthrough I/O
KW - Performance Isolation
KW - Virtualization
UR - http://www.scopus.com/inward/record.url?scp=84958542928&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-04891-8_15
DO - 10.1007/978-3-319-04891-8_15
M3 - Conference contribution
AN - SCOPUS:84958542928
SN - 9783319048901
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 171
EP - 182
BT - Architecture of Computing Systems, ARCS 2014 - 27th International Conference, Proceedings
PB - Springer Verlag
T2 - 27th International Conference on Architecture of Computing Systems, ARCS 2014
Y2 - 25 February 2014 through 28 February 2014
ER -