• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.12
• /
• pp.5375-5400
• /
• 2016

IOMMU is a hardware unit that is indispensable for DMA. Besides address translation and remapping, it also provides I/O virtual address space isolation among devices and memory access control on DMA transactions. However, currently commodity virtualization platforms lack of IOMMU virtualization, so that the virtual machines are vulnerable to DMA security threats. Previous works focus only on DMA security problem of directly assigned devices. Moreover, these solutions either introduce significant overhead or require modifications on the guest OS to optimize performance, and none can achieve high I/O efficiency and good compatibility with the guest OS simultaneously, which are both necessary for production environments. However, for simulated virtual devices the DMA security problem also exists, and previous works cannot solve this problem. The reason behind that is IOMMU circuits on the host do not work for this kind of devices as DMA operations of which are simulated by memory copy of CPU. Motivated by the above observations, we propose an IOMMU para-virtualization solution called PVIOMMU, which provides general functionalities especially DMA security guarantees for both directly assigned devices and simulated devices. The prototype of PVIOMMU is implemented in Qemu/KVM based on the virtio framework and can be dynamically loaded into guest kernel as a module, As a result, modifying and rebuilding guest kernel are not required. In addition, the device model of Qemu is revised to implement DMA access control by separating the device simulator from the address space of the guest virtual machine. Experimental evaluations on three kinds of network devices including Intel I210 (1Gbps), simulated E1000 (1Gbps) and IB ConnectX-3 (40Gbps) show that, PVIOMMU introduces little overhead on DMA transactions, and in general the network I/O performance is close to that in the native KVM implementation without IOMMU virtualization.

• Journal of KIISE
• /
• v.41 no.9
• /
• pp.605-610
• /
• 2014

Now, virtualization is no more emerging research area, and we can easily find its application in our circumstance. Nevertheless, I/O workloads are reluctant to be applied in virtual environment since they still suffer from unacceptable performance degradation due to virtualization latency. Many previous papers identified that virtual I/O overhead is mainly caused by exits and redundant I/O stack, and proposed several techniques to reduce them. However, they still have some limitations. In this paper, we introduce a novel I/O virtualization framework which improves I/O performance by exploiting multicore architecture. We applied our framework to the virtual network, and it improves TCP throughput up to 169%, and decreases UDP latency up to 38% on the network with the 10Gbps NIC.

• Journal of the Korea Society of Computer and Information
• /
• v.22 no.5
• /
• pp.11-19
• /
• 2017

In this paper, we propose a hypervisor for embedded systems based on ARM microprocessor. The proposed hypervisor makes it possible to run several real-time kernels concurrently on a single embedded system by virtualizing its microprocessor. With assistance of MMU, it supports virtual memory which enables each guest operating system has its own address space. Exploiting the fact that most embedded systems use memory-mapped I/O device, it provides a mechanism to distribute an external interrupt to virtual machines properly. It also achieves load balancing through live migration which moves a running virtual machine to other embedded system. Unlike other para-virtualization techniques, minor modifications are needed to run it on the hypervisor. Extensive performance measurement studies are conducted to show that the proposed hypervisor has enough potentiality of its real-world application.

• Journal of KIISE:Computer Systems and Theory
• /
• v.37 no.1
• /
• pp.35-42
• /
• 2010

Guest operating systems running over the virtual machines share a variety of resources. Since CPU is allocated in a time division manner it consequently leads them to having the unknown physical time. It is not regarded as a serious problem in the server virtualization fields. However, it becomes critical in embedded systems because it prevents guest OS from executing real time tasks when it does not occupy CPU. In this paper we propose a hypercall to register a timer service to notify the timer request related real time. It enables hypervisor to schedule a virtual machine which has real time tasks to execute, and allows guest OS to take CPU on time to support real time. The following experiment shows its implementation on Xen-Arm and para-virtualized Linux. We also analyze the real time performance with response time of test application and frames per second of Mplayer.