Glider: A GPU Library Driver for Improved System Security

Legacy device drivers implement both device resource management and isolation. This results in a large code base with a wide high-level interface making the driver vulnerable to security attacks. This is particularly problematic for increasingly popular accelerators like GPUs that have large, complex drivers. We solve this problem with library drivers, a new driver architecture. A library driver implements resource management as an untrusted library in the application process address space, and implements isolation as a kernel module that is smaller and has a narrower lower-level interface (i.e., closer to hardware) than a legacy driver. We articulate a set of device and platform hardware properties that are required to retrofit a legacy driver into a library driver. To demonstrate the feasibility and superiority of library drivers, we present Glider, a library driver implementation for two GPUs of popular brands, Radeon and Intel. Glider reduces the TCB size and attack surface by about 35% and 84% respectively for a Radeon HD 6450 GPU and by about 38% and 90% respectively for an Intel Ivy Bridge GPU. Moreover, it incurs no performance cost. Indeed, Glider outperforms a legacy driver for applications requiring intensive interactions with the device driver, such as applications using the OpenGL immediate mode API

Secure Virtualization and Multicore Platforms State-of-the-Art report

SVaM

Direct I/O solution for Containerized HPUX

This disclosure relates to the field of hardware emulation solution called c-UX (code named Kiran) which runs HPUX in emulated (Itanium hardware emulation on x86) mode as a futuristic solution for the margin rich UNIX business. The value of containerized HPUX is that it allows customers using legacy HPUX applications to continue running on x86 hardware. c-UX design relies on instruction level emulation which has inherent performance issues. Especially, compute intensive workloads are prone to performance issues while running in emulated environment. However, I/O workloads on such emulated systems can make use of direct device access or device assignment when configured for the highest possible I/O performance. This technique provides the most efficient way to do I/O, compared to other approaches such as device emulation, which imposes a high number of exits from guest context, with the benefits of significantly reduced latency, higher bandwidth, and direct use of bare-metal device drivers. The proposal presents an innovative approach to realize Direct I/O mechanism (a.k.a PCI passthrough) on emulated HPUX environment by leveraging Virtual Function I/O framework in Linux. Disclosed is an approach of accelerating I/O performance in c-UX application by allowing the emulated HPUX Operating System direct access to parts of the I/O subsystem of the host and handle various aspects of the communication like DMA and interrupts. It also throws light on the network I/O performance improvement that is achieved on c-UX, using this method

A Research to Improve Contiguous Memory Allocation in Linux Kernel

The demand for Contiguous Memory Allocation (CMA) has witnessed significant growth in both low-end and high-end devices in recent years. However, the existing practices for utilizing CMA prove insufficient, particularly when catering to the needs of low-end (32-bit) devices. CMA, a Linux program used for memory reservation and allocation, faces limitations in its current implementations. Presently, techniques such as Scatter-Gather Direct Memory Access (DMA), Input Output Memory Management Unit (IOMMU), and Memory Reservation are commonly employed for contiguous memory allocation. Unfortunately, these methods are financially impractical for low-end devices and struggle to efficiently allocate substantial memory chunks, leading to latency concerns. In this paper, we introduce an improved CMA approach that intelligently allocates virtual memory for data mapping as needed. Alternatively, it directly allocates and deallocates physical memory without the necessity of virtual memory mapping, employing the DMA_KERNEL_NO_MAPPING attribute within the DMA Application Programming Interface (API). By adopting this method, latency is reduced, and the facilitation of larger memory allocations is promoted, addressing the limitations of the current techniques

Fast & Scalable I/O for Emulated HPUX

HPE has positioned containerized solution called c-UX (code named Kiran) which runs HPUX in emulated (Itanium hardware emulation on x86) mode as a futuristic solution for the margin rich UNIX business. The value of containerized HPUX is that it allows customers using legacy HPUX applications to continue running on x86 hardware. Significant effort has been expended to increase the effectiveness of hardware resource utilization on c-UX. The next step in fully optimizing I/O in c-UX environment is to provide truly scalable high-performance, by enabling a single I/O device to provide DMA for multiple VMs. This scalability challenge can be solved using Single Root I/O Virtualization (SR-IOV) technology, delivering near-native I/O performance for multiple c-UX instances, while also providing memory and traffic isolation for security and high availability, accelerating live migrations, and reducing the cost and complexity of I/O solutions. Network and Storage adapters from various vendors can be used to realize SR-IOV on c-UX, which otherwise was not possible on native HPUX due to hardware and firmware limitations. This paper talks about an innovative mechanism to enable SR-IOV on emulated HPUX OS using Virtual Function I/O framework (VFIO) available in Linux. Disclosed is an approach of achieving highly scalable performance in c-UX application by allowing the guest OS direct access to parts of the I/O subsystem of the host and handle various aspects of the communication like DMA and interrupts. It also throws light on the network I/O performance gains achieved using this method

Jiko kaifukugata operetingu shisutemu kochiku furemu waku

制度:新 ; 報告番号:甲2786号 ; 学位の種類:博士(工学) ; 授与年月日:2009/2/25 ; 早大学位記番号:新500

Towards composition of verified hardware devices

Computers are being used where no affordable level of testing is adequate. Safety and life critical systems must find a replacement for exhaustive testing to guarantee their correctness. Through a mathematical proof, hardware verification research has focused on device verification and has largely ignored system composition verification. To address these deficiencies, we examine how the current hardware verification methodology can be extended to verify complete systems