Virtualization provides techniques for consolidating physical machines. That is, multiple virtual machines can be executed by a single physical machine.
Virtual machine queue (VMQ) technology enables a receive queue on a VMQ capable hardware network interface card (NIC) to be dedicated to a NIC running in the Virtual Machine (VM). Filters for the media access control (MAC) address of the VM's NIC are configured on the hardware NIC to ensure that the NIC can filter traffic for that VM and indicate it to the virtual switch driver running in the host partition in a virtualized environment. Moreover, the common buffer that is used for the hardware NIC's receive buffers is allocated from the VM's memory address space. As a result, the hardware NIC uses direct media access (DMA) to place all incoming frames targeted to the VM's NIC directly to the VM memory. This avoids a copy from the host's memory to the VM's memory that would be necessary in the absence of VMQ.
However, enabling VMQ makes certain security attacks possible by a malicious VM. Without VMQ, the receive descriptors for the hardware NIC are allocated from the host partition's memory itself. As a result, the hardware NIC DMAs the incoming frames into host memory and indicates the network packets to the virtual switch driver running in the host partition. The virtual switch driver determines the target NIC in the VM and copies the packet data into the VM's memory to be consumed by the VM's networking stack. In the case of VMQ, since the frames are directly being DMAed to the VM's memory, the virtual switch driver does not incur the cost of copying the frame and just indicates the packets to the VM's networking stack. As the incoming frames are directly DMAed to the VM's memory, the VM has access to this frame even before virtual switch driver indicates the packet to the VM's networking stack. As a result, a malicious VM could modify the packet contents such that it adversely affects the components in the host partition or even services running in other VMs on the same physical host. This is a significant security risk and can be exploited by a malicious VM. For instance, the switch driver running in the host partition could look at the source MAC address in the incoming packet and update its internal state regarding the port on which this MAC is reachable. A malicious VM could tamper this field in the packet causing all packets destined to another VM to be transmitted through the hardware port, thus launching a denial of service (DoS) attack. Other components such as firewall filtering components might exist in the host that parses the packet even deeper. Therefore, there is a need to protect the fields in the incoming frames that are parsed by any component in the host partition from being modified by a malicious VM.
There is a further security risk associated with virtual local area network identifiers (VLAN IDs). Since the hardware filters incoming network packets based on the VM NIC's media access control (MAC) address, if a VLAN ID is configured on the VM NIC, a VM could monitor all traffic sent to its MAC address but on a different VLAN.
Therefore, it is desirable to have techniques that allow for direct memory access of network communications into a VM's address space, but limit the security risks associated with that.