SIVSHM: Secure Inter-VM Shared Memory
share
With wide spread acceptance of virtualization, virtual machines (VMs) find their presence in various applications such as Network Address Translation (NAT) servers, firewall servers and MapReduce applications. Typically, in these applications a data manager collects data from the external world and distributes it to multiple workers for further processing. Currently, data managers distribute data with workers either using inter-VM shared memory (IVSHMEM) or network communication. IVSHMEM provides better data distribution throughput sacrificing security as all untrusted workers have full access to the shared memory region and network communication provides better security at the cost of throughput. Secondly, IVSHMEM uses a central distributor to exchange eventfd - a file descriptor to an event queue of length one, which is used for inter-VM signaling. This central distributor becomes a bottleneck and increases boot time of VMs. Secure Inter-VM Shared Memory (SIVSHM) provided both security and better throughout by segmenting inter-VM shared memory, so that each worker has access to segment that belong only to it, thereby enabling security without sacrificing throughput. SIVSHM boots VMs in 30 compared to IVSHMEM by eliminating central distributor from its architecture and enabling direct exchange of eventfds amongst VMs.
READ FULL TEXT
