I/O Virtualization Architecture for Security

Prevalent and popular virtualization technologies have concentrated on consolidating servers based on the CPU component of the workload. Other system resources, particularly I/O devices like network interfaces and disks have been always designed to be in control of the OS that is managing system resources. Sharing of these devices has been through the OS abstraction layers, with device always being accessed and managed by the privileged OS kernel. Extending such systems for virtualization has resulted in sharing the device access path along-with the shared device, which makes this software layer the vulnerable component for the whole system. In this paper we argue that virtualization gives a simple and efficient mechanism for isolation, and hence improved security, if architected correctly. We analyze the existing I/O virtualization architectures with a view towards identifying the security issues and propose an enhancement that addresses these issues.

[1]  J. Reuben,et al.  A Survey on Virtual Machine Security , 2007 .

[2]  Tavis Ormandy An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments Tavis , 2007 .

[3]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[4]  David E. Culler,et al.  Virtualization considered harmful: OS design directions for well-conditioned services , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[5]  S. K. Nandy,et al.  I/O Device Virtualization in the Multi-core era, a QoS Perspective , 2009, 2009 Workshops at the Grid and Pervasive Computing Conference.

[6]  Tal Garfinkel,et al.  When Virtual Is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments , 2005, HotOS.

[7]  Steven J. Vaughan-Nichols,et al.  Virtualization Sparks Security Concerns , 2008, Computer.

[8]  Paul A. Karger Securing virtual machine monitors: what is needed? , 2009, ASIACCS '09.

[9]  J. Lakshmi,et al.  Modeling Architecture-OS interactions using Layered Queuing Network Models , 2009 .

[10]  Roel Wieringa,et al.  Security Implications of Virtualization: A Literature Study , 2009, 2009 International Conference on Computational Science and Engineering.

[11]  B. Ward Report to Members: NC State Team Wins $20, 000 First Prize at CSIDC , 2005, Computer.

[12]  David Safford,et al.  I/O for Virtual Machine Monitors: Security and Performance Issues , 2008, IEEE Security & Privacy.

[13]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).