Protection Strategies for Direct Access to Virtualized I/O Devices

Commodity virtual machine monitors forbid direct access to I/O devices by untrusted guest operating systems in order to provide protection and sharing. However, both I/O Memory Management Units (IOMMUs) and recently proposed software-based methods can be used to reduce the overhead of I/O virtualization by providing untrusted guest operating systems with safe, direct access to I/O devices. This paper explores the performance and safety tradeoffs of strategies for using these mechanisms. The protection strategies presented in this paper provide equivalent inter-guest protection among operating system instances.