CSpace  > 中国科学院计算技术研究所期刊论文  > 英文
IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines
Tang, Hongwei1,2,3; Li, Qiang2,3; Feng, Shengzhong1,3; Zhao, Xiaofang2,3; Jin, Yan2,3
2016-12-31
发表期刊KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS
ISSN1976-7277
卷号10期号:12页码:5375-5400
摘要IOMMU is a hardware unit that is indispensable for DMA. Besides address translation and remapping, it also provides I/O virtual address space isolation among devices and memory access control on DMA transactions. However, currently commodity virtualization platforms lack of IOMMU virtualization, so that the virtual machines are vulnerable to DMA security threats. Previous works focus only on DMA security problem of directly assigned devices. Moreover, these solutions either introduce significant overhead or require modifications on the guest OS to optimize performance, and none can achieve high I/O efficiency and good compatibility with the guest OS simultaneously, which are both necessary for production environments. However, for simulated virtual devices the DMA security problem also exists, and previous works cannot solve this problem. The reason behind that is IOMMU circuits on the host do not work for this kind of devices as DMA operations of which are simulated by memory copy of CPU. Motivated by the above observations, we propose an IOMMU para-virtualization solution called PVIOMMU, which provides general functionalities especially DMA security guarantees for both directly assigned devices and simulated devices. The prototype of PVIOMMU is implemented in Qemu/KVM based on the virtio framework and can be dynamically loaded into guest kernel as a module, As a result, modifying and rebuilding guest kernel are not required. In addition, the device model of Qemu is revised to implement DMA access control by separating the device simulator from the address space of the guest virtual machine. Experimental evaluations on three kinds of network devices including Intel I210 (1Gbps), simulated E1000 (1Gbps) and IB ConnectX-3 (40Gbps) show that, PVIOMMU introduces little overhead on DMA transactions, and in general the network I/O performance is close to that in the native KVM implementation without IOMMU virtualization.
关键词IOMMU virtualization para-virtualization DMA security virtio simulated device
DOI10.3837/tiis.2016.12.014
收录类别SCI
语种英语
资助项目National Natural Science Foundation of China (NSFC)[61402444]
WOS研究方向Computer Science ; Telecommunications
WOS类目Computer Science, Information Systems ; Telecommunications
WOS记录号WOS:000396510000014
出版者KSII-KOR SOC INTERNET INFORMATION
引用统计
被引频次:2[WOS]   [WOS记录]     [WOS相关记录]
文献类型期刊论文
条目标识符http://119.78.100.204/handle/2XEOYT63/7307
专题中国科学院计算技术研究所期刊论文_英文
通讯作者Tang, Hongwei
作者单位1.Chinese Acad Sci, Shenzhen Inst Adv Technol, Shenzhen 518055, Peoples R China
2.Chinese Acad Sci, Inst Comp Technol, Beijing 100190, Peoples R China
3.Univ Chinese Acad Sci, Beijing 100049, Peoples R China
推荐引用方式
GB/T 7714
Tang, Hongwei,Li, Qiang,Feng, Shengzhong,et al. IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines[J]. KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS,2016,10(12):5375-5400.
APA Tang, Hongwei,Li, Qiang,Feng, Shengzhong,Zhao, Xiaofang,&Jin, Yan.(2016).IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines.KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS,10(12),5375-5400.
MLA Tang, Hongwei,et al."IOMMU Para-Virtualization for Efficient and Secure DMA in Virtual Machines".KSII TRANSACTIONS ON INTERNET AND INFORMATION SYSTEMS 10.12(2016):5375-5400.
条目包含的文件
条目无相关文件。
个性服务
推荐该条目
保存到收藏夹
查看访问统计
导出为Endnote文件
谷歌学术
谷歌学术中相似的文章
[Tang, Hongwei]的文章
[Li, Qiang]的文章
[Feng, Shengzhong]的文章
百度学术
百度学术中相似的文章
[Tang, Hongwei]的文章
[Li, Qiang]的文章
[Feng, Shengzhong]的文章
必应学术
必应学术中相似的文章
[Tang, Hongwei]的文章
[Li, Qiang]的文章
[Feng, Shengzhong]的文章
相关权益政策
暂无数据
收藏/分享
所有评论 (0)
暂无评论
 

除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。