Securing Self-Virtualizing Ethernet Devices
نویسندگان
چکیده
Single root I/O virtualization (SRIOV) is a hardware/software interface that allows devices to “self virtualize” and thereby remove the host from the critical I/O path. SRIOV thus brings near bare-metal performance to untrusted guest virtual machines (VMs) in public clouds, enterprise data centers, and high-performance computing setups. We identify a design flaw in current Ethernet SRIOV NIC deployments that enables untrusted VMs to completely control the throughput and latency of other, unrelated VMs. The attack exploits Ethernet ”pause” frames, which enable network flow control functionality. We experimentally launch the attack across several NIC models and find that it is effective and highly accurate, with substantial consequences if left unmitigated: (1) to be safe, NIC vendors will have to modify their NICs so as to filter pause frames originating from SRIOV instances; (2) in the meantime, administrators will have to either trust their VMs, or configure their switches to ignore pause frames, thus relinquishing flow control, which might severely degrade networking performance. We present the Virtualization-Aware Network Flow Controller (VANFC), a software-based SRIOV NIC prototype that overcomes the attack. VANFC filters pause frames from malicious virtual machines without any loss of performance, while keeping SRIOV and Ethernet flow control hardware/software interfaces intact.
منابع مشابه
Scalable I/O Virtualization via Self-Virtualizing Devices
The virtualization of I/O devices is an integral part of system virtualization. This includes both virtualizing the physical devices and managing them across multiple guest virtual machines (VMs) or domains running on top of a virtual machine monitor (VMM) or hypervisor (HV). This paper presents the notion of self-virtualizing devices, where for higher end, ‘smart’ I/O devices, selected virtual...
متن کاملVirtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor
Virtual machines were developed by IBM in the 1960’s to provide concurrent, interactive access to a mainframe computer. Each virtual machine is a replica of the underlying physical machine and users are given the illusion of running directly on the physical machine. Virtual machines also provide benefits like isolation and resource sharing, and the ability to run multiple flavors and configurat...
متن کاملSecuring Self-Virtualizing I/O Devices
Single root I/O virtualization (SRIOV) is a hardware/software interface that allows devices to “selfvirtualize” and thereby remove the host from the critical I/O path. SRIOV thus brings bare-metal performance to untrusted guest virtual machines (VMs) in public clouds, enterprise data centers, and high-performance computing setups. We identify a design flaw in current SRIOV deployments that enab...
متن کاملSelf-Securing Storage: Protecting Data in Compromised Systems
Self-securing storage prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, self-securing storage devices internally audit all requests and keep old versions of data for a window of time, regardless of the commands received from potentially compromised host operating systems. Within the window, system administrators have this valuable infor...
متن کاملArchitecture and Interface of a Self-Securing Object Store
Self-securing storage prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, self-securing storage devices internally audit all requests and keep all versions of all data for a window of time, regardless of the commands received from potentially compromised host operating systems. Within this window, system administrators have valuable infor...
متن کامل