Abstract
Virtualized Network I/O (VNIO) is an enabling technology in cloud computing environment as it provides virtual machines (VMs) the network connectivity. Among existing VNIO implementations, vHost-User para-virtualized solution has been commonly adopted by the industry as it achieves a good trade-off between performance and flexibility. In vHost-User, the packet transferring procedure is implemented by a user space virtual Switch (vSwitch) process, which is granted to access all VMs' memory without restrictions. This kind of memory sharing model brings significant isolation risk, and numerous reinforcement strategies have been proposed. In this work, we first discuss the limitations of these existing reinforcement solutions. Then we propose Secure-vHost, an isolation guaranteed VNIO design that moves the packet transferring procedure from vSwitch to the hypervisor. We redesign the memory sharing model and thread scheduling strategy in SecurevHost, to enhance the efficiency of packet transferring and achieve a good trade-off between isolation and performance. We implement and evaluate the Secure-vHost solution on the QEMU/KVM virtualization platform. The experimental results show that, comparing with the vHost-User solution, the SecurevHost implementation can achieve comparable performance with better VM memory isolation.