Performance Isolation Exposure in Virtualized Platforms with PCI Passthrough I/O Sharing

Abstract

PCI Passthrough is an x86 virtualization technology that enables low overhead, high performance I/O virtualization. It is an established technology in server and cloud computing environments and a promising technology for sharing I/O devices in future Cyber Physical Systems that consolidate mixed-criticality applications on multi-core CPUs. In this paper, we show that current implementations of x86 PCI Passthrough are prone to Denial-of-Service attacks. We demonstrate that attacks can be launched from within Virtual Machine environments and affect the performance of every I/O device on the interconnect. This means that malicious or malfunctioning applications inside Virtual Machines can impair the I/O performance of co-residential Virtual Machines. For example, attacking an SR-IOV capable Gigabit Ethernet NIC causes its TCP throughput to drop by 326 Mbit/s; latencies for reading 32 bit words from the NIC increase by over 650%. We investigate which hardware parameters influence the impact of such attacks and introduce three protection approaches.