Denial-of-Service attacks on PCI passthrough devices: Demonstrating the impact on network- and storage-I/O performance

Abstract

PCI Passthrough is an established x86 server technology for directly assigning PCIe devices to Virtual Machines (VMs). In combination with Single Root I/O Virtualization, which enables concurrent sharing of single physical PCIe I/O devices, PCI Passthrough enables low overhead and high performance I/O virtualization. Besides server environments, the combination is also a promising approach for sharing I/O in future multi-core embedded systems. In this paper, we demonstrate that PCI Passthrough has yet-to-be-solved problems regarding performance isolation, because it is prone to Denial-of-Service (DoS) attacks. VMs executing DoS attacks on Passthrough devices can degrade the I/O performance of devices that share PCIe links with the DoS victim, which may affect concurrent VMs and the host. We evaluate how attacks on an SR-IOV capable Gigabit Ethernet NIC cause a degradation of the system's network- and storage-I/O performance. The attacked NIC's TCP throughput drops by 35%; other NICs that share PCIe links with the victim see degradations of 46% and 65%; performance of a host-assigned SSD degrades by 77%. We investigate what influences the severity of such attacks and introduce three protection approaches.