Securing Self-Virtualizing I/O Devices

Single root I/O virtualization (SRIOV) is a hardware/software interface that allows devices to “selfvirtualize” and thereby remove the host from the critical I/O path. SRIOV thus brings bare-metal performance to untrusted guest virtual machines (VMs) in public clouds, enterprise data centers, and high-performance computing setups. We identify a design flaw in current SRIOV deployments that enables untrusted VMs to completely control the throughput and latency of other, unrelated VMs using network flow control functionality. Addressing this flaw with current network controllers (NICs) and switches requires either forgoing SRIOV or forgoing flow control, thereby trading off much of the performance benefit that SRIOV provides. We present and experimentally demonstrate the viability of the Virtualization-Aware Network Flow Controller (VANFC), a secure SRIOV setup that eliminates this flaw without requiring any changes to the software/hardware interface.