Performance Isolation Exposure in Virtualized Platforms with PCI Passthrough I/O Sharing

PCI Passthrough is an x86 virtualization technology that enables low overhead, high performance I/O virtualization. It is an established technology in server and cloud computing environments and a promising technology for sharing I/O devices in future Cyber Physical Systems that consolidate mixed-criticality applications on multi-core CPUs. In this paper, we show that current implementations of x86 PCI Passthrough are prone to Denial-of-Service attacks. We demonstrate that attacks can be launched from within Virtual Machine environments and affect the performance of every I/O device on the interconnect. This means that malicious or malfunctioning applications inside Virtual Machines can impair the I/O performance of co-residential Virtual Machines. For example, attacking an SR-IOV capable Gigabit Ethernet NIC causes its TCP throughput to drop by 326 Mbit/s; latencies for reading 32 bit words from the NIC increase by over 650%. We investigate which hardware parameters influence the impact of such attacks and introduce three protection approaches.

[1]  Wei Jing Performance Isolation for Mixed Criticality Real-time System on Multicore with Xen Hypervisor , 2013 .

[2]  Yves Deswarte,et al.  Exploiting an I/OMMU vulnerability , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[3]  Michael Paulitsch,et al.  Leveraging Multi-core Computing Architectures in Avionics , 2012, 2012 Ninth European Dependable Computing Conference.

[4]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[5]  Bernard Bavoux,et al.  Multi-source and multicore automotive ECUs - OS protection mechanisms and scheduling , 2010, 2010 IEEE International Symposium on Industrial Electronics.

[6]  Henrik Theiling,et al.  Multicore in Real-Time Systems – Temporal Isolation Challenges due to Shared Resources , 2013, DATE 2013.

[7]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[8]  Alexandra Fedorova,et al.  Addressing shared resource contention in multicore processors via scheduling , 2010, ASPLOS XV.

[9]  Xiaowei Yang,et al.  High performance network virtualization with SR-IOV , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[10]  Dominik Reinhardt,et al.  Achieving a Scalable E/E-Architecture Using AUTOSAR and Virtualization , 2013 .

[11]  Zhao Yu,et al.  SR-IOV Networking in Xen: Architecture, Design and Implementation , 2008, Workshop on I/O Virtualization.