Issue No.10 - Oct. (2011 vol.22)
pp: 1705-1713
Duy Le , The College of William and Mary, Williamsburg
Haining Wang , The College of William and Mary, Williamsburg
Utilizing the popular virtualization technology (VT), users can benefit from server consolidation on high-end systems and flexible programming interfaces on low-end systems. In these virtualization environments, the intensive memory multiplexing for I/O of Virtual Machines (VMs) significantly degrades system performance. In this paper, we present a new technique, called Batmem, to effectively reduce the memory multiplexing overhead of VMs and emulated devices by optimizing the operations of the conventional emulated Memory Mapped I/O in Virtual Machine Monitor (VMM)/hypervisor. To demonstrate the feasibility of Batmem, we conduct a detailed taxonomy of the memory optimization on selected virtual devices. We evaluate the effectiveness of Batmem in Windows and Linux systems. Our experimental results show that 1) for high-end systems, Batmem operates as a component of the hypervisor and significantly improves the performance of the virtual environment, and 2) for low-end systems, Batmem could be exploited as a component of the VM-based malware/rootkit (VMBR) and cloak malicious activities from users' awareness.
Memory management, virtual machine, security.
Duy Le, Haining Wang, "An Effective Memory Optimization for Virtual Machine-Based Systems", IEEE Transactions on Parallel & Distributed Systems, vol.22, no. 10, pp. 1705-1713, Oct. 2011, doi:10.1109/TPDS.2011.37
[1] P. Padala, X. Zhu, Z. Wang, S. Singhal, and K.G. Shin, "Performance Evaluation of Virtualization Technologies for Server Consolidation," Technical Report HPL-2007-59, HP Labs, 2007.
[2] M.R. Marty and M.D. Hill, "Virtual Hierarchies to Support Server Consolidation," ACM SIGARCH Computer Architecture News, vol. 35, no. 2, 2007.
[3] S.T. King, P.M. Chen, Y.-M. Wang, C. Verbowski, H.J. Wang, and J.R. Lorch, "SubVirt: Implementing Malware with Virtual Machines," Proc. IEEE Symp. Security and Privacy (SP '06), 2006.
[4] J. Rutkowska, "Introducing Blue Pill," June 2006, 06introducing-blue-pill.html, Oct. 2010.
[5] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, "kvm: The Linux Virtual Machine Monitor," Proc. Linux Symp., 2007.
[6] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, "Xen and the Art of Virtualization," Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), 2003.
[7] "Lguest: The Simple x86 Hypervisor," http:/, Oct. 2010.
[8] P.E. McKenney, "Memory Ordering in Modern Microprocessors, Part II," Linux J., vol. 2005, no. 137, p. 5, 2005.
[9] R. Huggahalli, R. Iyer, and S. Tetrick, "Direct Cache Access for High Bandwidth Network I/O," ACM SIGARCH Computer Architecture News, vol. 33, no. 2, 2005.
[10] L. Xia, J. Lange, P. Dinda, and C. Bae, "Investigating Virtual Passthrough I/O on Commodity Devices," ACM SIGOPS Operating Systems Rev., vol. 43, no. 3, pp. 83-94, 2009.
[11] P.R. Wilson, S.F. Kaplan, and Y. Smaragdakis, "The Case for Compressed Caching in Virtual Memory Systems," Proc. Ann. Conf. USENIX Ann. Technical Conf. (ATEC '99), 1999.
[12] D. Gupta, S. Lee, M. Vrable, S. Savage, A.C. Snoeren, G. Varghese, G.M. Voelker, and A. Vahdat, "Difference Engine: Harnessing Memory Redundancy in Virtual Machines," Proc. Eighth USENIX Symp. Operating System Design and Implementation (OSDI), 2008.
[13] "Run-Length Encoding Algorithm," info/AlgorithmsRLE , Oct. 2010.
[14] R. Riley, X. Jiang, and D. Xu, "Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing," Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection (RAID '08), 2008.
[15] X. Chen, J. Andersen, Z.M. Mao, M. Bailey, J. Nazario, and F.J. Zhang, "Towards an Understanding of Anti-Virtualization and Anti-Debugging Behavior in Modern Malware," Proc. IEEE Int'l Conf. Dependable Systems and Networks with FTCS and DCC (DSN '08), 2008.
[16] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, "Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis," Proc. 14th ACM Conf. Computer and Comm. Security (CCS '07), 2007.
[17] B.D. Payne, M. Carbone, M. Sharif, and W. Lee, "Lares: An Architecture for Secure Active Monitoring Using Virtualization," Proc. IEEE Symp. Security and Privacy (SP '08), 2008.
[18] S.T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou, "Designing and Implementing Malicious Hardware," Proc. First USENIX Workshop Large-Scale Exploits and Emergent Threats (LEET '08), 2008.
[19] S. Embleton, S. Sparks, and C. Zou, "Smm Rootkits: A New Breed of OS Independent Malware," Proc. Fourth Int'l Conf. Security and Privacy in Comm. Networks (SecureComm '08), 2008.
[20] "kvm: Coalescent Writes to MMIO," msg00296.html, Oct. 2010.
[21] J.R. Santos, Y. Turner, G. Janakiraman, and I. Pratt, "Bridging the Gap between Software and Hardware Techniques for I/O Virtualization," Proc. USENIX Ann. Technical Conf. (ATC '08), June 2008.
[22] Y. Endo, Z. Wang, J.B. Chen, and M. Seltzer, "Using Latency to Evaluate Interactive System Performance," Proc. Second USENIX Symp. Operating Systems Design and Implementation (OSDI '96), 1996.
[23] J.W. Palmer, "Web Site Usability, Design, and Performance Metrics," Information Systems Research, vol. 13, no. 2, pp. 151-167, 2002.
[24] "Vlogger at the Hacker's Choice,", Oct. 2010.
[25] "NLANR/DAST: Iperf—The TCP/UDP Bandwidth Measurement Tool,", Oct. 2010.
[26] "Superscape 3D VGA Benchmark," , Oct. 2010.
[27] "SiSoftware Sandra—Windows System Analyser," www.sisoft, Oct. 2010.
[28] "Bonnie++: File System Benchmarks," bonnie++, Oct. 2010.
[29] "AutoHotkey: Program with Hotkeys and AutoText," www., Oct. 2010.
[30] "Autokey: Text Replacement Tool for Linux," http:/autokey., Oct. 2010.
[31] P. Ferrie, "Attacks on Virtual Machine Emulators," Dec. 2006.
[32] T. Garfinkel, K. Adams, A. Warfield, and J. Franklin, "Compatibility Is Not Transparency: VMM Detection Myths and Realities," Proc. 11th USENIX Workshop Hot Topics in Operating Systems (HOTOS '07), 2007.
[33] "Kernel TRAP—KVM: Detect if VCPU Triple Faults," 2008/4/271622284, Oct. 2010.