Xen 4.5 Boosts Virtualization Security

The widely deployed open-source virtual technology that powers Amazon's, IBM's and Rackspace's public clouds gets a big update.

virtualization security

The open-source Xen virtualization hypervisor project is out today with a major milestone update providing improved performance and enhanced security features. The Xen Project is managed as a Linux Foundation Collaboration project initiative and has multiple stakeholders, including Intel, Citrix, Amazon and Rackspace.

Among the new features in the Xen 4.5 update are capabilities aimed at reducing the impact of the so-called "noisy neighbor" issue in multitenant cloud and data center environments.

"The noisy neighbor is the situation where you have two processes, A and B," Donald Dugger, virtualization architect at Intel, explained to eWEEK. "Process A can be noisy in that it runs an algorithm that dirties many entries in the cache, evicting cache entries for process B and thereby slowing down process B."

As part of Xen 4.5, Intel's Cache Monitoring Technology (CMT) is now supported, which allows users to track which processes are using how much cache and identify the noisy ones, according to Dugger. That is, the process A's that consume too much cache.

Lars Kurth, Xen Project Advisory Board member, explained to eWEEK that CMT is an Intel-only feature. It is part of a new set of Intel Hardware features to monitor CPU utilization as well as enable fine-grained monitoring and control of CPU resources.

"This is very interesting for the enterprise and cloud segments, in particular in multitenant environments where many different workloads run on one host," Kurth said.

Another key new feature in Xen 4.5 is known as PVH (Para Virtualization Hardware), which enables Xen to utilize Intel hardware extensions including VMX (Virtual Machine eXtentions) and EPT (Extended Page Tables).

"It [PVH] improves performance because the hardware has become very quick for nested page tables handling and other hypervisor-related operations," Stefano Stabellini, senior principal software engineer at Citrix, told eWEEK.

Stabellini noted that PVH improves security because the guest kernel does not share the same address space with the hypervisor and as such helps to reduce the hypercall interface exposed by Xen.

Security is also enhanced in Xen 4.5 with improved introspection of virtual guests. Xen has supported an introspection API for PV (Paravirtualization) guests only, via LibVMI since Xen 4.1, according to Kurth.

"The improvements allow introspection of HVM [Hardware Virtual Machine] guests using Intel EPT/AMD RVI hardware features, enabling the creation of malware detection software running in a dedicated privileged virtual machine," he said.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.