Abstract: Page request interface overhead reduction for virtual machine migration and write protection in memory may be provided by generating a page table associated with the memory; in response to receiving a write-protection command to prevent write-access to data from a portion of the memory, write-protecting a first range of memory addresses comprising the data write protected from the portion of the memory, wherein a second range of memory addresses comprises data not write protected in the memory; and modifying the page table to include a page table entry associated with the first range of memory addresses being write-protected, wherein write access to a memory address in the first range of memory addresses by a device during write-protection is tracked.

Abstract: Systems and methods for zero-copy forwarding for network function virtualization (NFV). An example method comprises: receiving, by a hypervisor of a host computer system, a definition of a packet filter originated by a virtual machine running on the host computer system; responsive to validating the packet filter, associating the packet filter with a vNIC of the virtual machine; receiving, by the hypervisor, a network packet originated by the vNIC; and responsive to matching the network packet to a network connection specified by the packet filter, causing the packet filter to forward the network packet via the network connection.

Abstract: Methods and systems for improved live migration of computing processes with guaranteed maximum downtime are provided. In a first embodiment, a method is provided that includes migrating a computing process between two virtual machines according to a first migration phase. The computing process may continue executing during the first migration phase. A second migration phase may begin, in which execution of the computing process may stop. It may be detected that a duration of the second migration phase exceeds a predetermined period of time, and the second migration phase may be halted such that the computing process continues executing on an original virtual machine. The predetermined period of time can be determined based on a downtime for resuming execution of the computing process and a predicted worst case start time for the computing process.

Abstract: Systems and methods for verifying firmware before it is loaded to a memory device are presented herein. An amount of available memory remaining in a memory device after firmware is written to the memory device is determined, and padding data having a size equal to the determined amount of remaining available memory is generated and appended to the firmware (e.g., the firmware is padded with the padding data). In this way, there is no room for malicious code or a malicious version of the firmware in the memory device. A processing device may determine a verification value of the padded firmware and store the verification value. The verification value may be a cryptographic hash of the padded firmware or a cryptographic signature of the padded firmware. The padded firmware is then written to the memory device. The firmware may be read from the memory device and verified using the verification value.

Abstract: A method includes detecting a change in control of a peripheral device from a first security domain to a second security domain of a computer system and in response to detecting the change in control of the peripheral device, reading a current firmware version of the peripheral device and determining whether the current firmware version of the peripheral device is trusted by the computer system. The method further includes in response to determining that the current firmware version is trusted by the computer system, providing control of the peripheral device to the second security domain.

Abstract: Aspects of the disclosure provide for mechanisms for securing virtual machines in a computer system. A request for a resource is received by a processing device. The request is initiated by a guest application. A determination is made by the processing device of whether an initialization of the guest application is completed. In response to a determination that the initialization of the guest application is completed, at least one system call associated with the request initiated by the guest application is blocked to reject execution of the request for the resource.

Abstract: Aspects of the disclosure provide for mechanisms for securing virtual machines in a computer system. A method of the disclosure includes: receiving a first resource request initiated by an application running on a virtual machine during initialization of the application; allocating, by a hypervisor, a resource to the application in view of the first resource; and in response to receiving a message indicating completion of the initialization of the application, blocking, by the hypervisor, at least one hypercall initiated by the virtual machine. The completion of the initialization of the application may correspond to initiation of execution of the application using the allocated resource.

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method involves: receiving, by a processor of a host, a request to create a computing process comprising a first and second executable code, wherein the computing process comprises an instruction to cause the processor to switch between first and second page table structures; loading the first and second executable code into memory of the host, wherein the first page table structure comprises mapping data for the first executable code and for the second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to provide the second executable code with access to the device; and restricting the first executable code from accessing the device.

Abstract: The present disclosure provides a new and innovative system, methods and apparatus for PRI overhead reduction for virtual machine migration. In an example, a system includes a memory and a hypervisor. The memory includes a plurality of memory addresses on a source host. The hypervisor is configured to generate a migration page table associated with the memory. The hypervisor is also configured to receive a migration command to copy data from a portion of the memory to a destination host. A first range of memory addresses includes data copied from the portion of the memory and a second range of memory addresses includes data that is not copied. The hypervisor is also configured to modify the migration page table to include a page table entry associated with the first range of memory addresses being migrated from the source host to the destination host.

Abstract: Systems and methods for implementing guest-initiated announcement of virtual machine migration. An example method may comprise: receiving, by an origin hypervisor running on an origin computer system, a migration announcement of a virtual machine; copying at least a part of a state of the virtual machine to a destination computer system; and responsive to stopping the virtual machine on the origin computer system, causing a destination hypervisor running on the destination computer system to broadcast the migration announcement over a network associated with the destination computer system.

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method may involve: associating a computing process with a virtual machine data structure, wherein the computing process initiates an update to the virtual machine data structure to cause a processor to switch between a page table structures; loading first and second executable code into user space memory of the computing process, wherein a first page table structure comprises mapping data for the first and second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to map a portion of the user space memory to the device; and restricting the first executable code from accessing the memory mapped device.

Abstract: An indication that a virtual machine has been migrated may be received. In response to receiving the indication, one or more network addresses associated with the virtual machine may be identified. A notification message corresponding to the one or more network addresses may be generated. The notification message may be transmitted on networks for the one or more network addresses. The virtual machine may determine whether a response message has been received for each of the one or more network addresses. The virtual machine may transmit a subsequent notification message in view of determining that at least one response message has not been received for at least one of the one or more network addresses.

Abstract: Systems and methods for zero-copy forwarding for network function virtualization (NFV). An example method comprises: receiving, by a hypervisor of a host computer system, a definition of a packet filter originated by a virtual machine running on the host computer system; responsive to validating the packet filter, associating the packet filter with a vNIC of the virtual machine; receiving, by the hypervisor, a network packet originated by the vNIC; and responsive to matching the network packet to a network connection specified by the packet filter, causing the packet filter to forward the network packet via the network connection.

Abstract: A method includes receiving, by a processing device of a monitoring node, an indication over a network that a virtual machine successfully migrated from a first host to a second host. The indication includes a virtual machine address of the virtual machine executing on the second host. The method also includes, responsive to the indication that the virtual machine successfully migrated from the first host to the second host, starting to monitor incoming packets of the monitoring node for an incoming packet that includes a source address field having the virtual machine address, and, upon determining, after a threshold period of time, that none of the incoming packets include the source address field having the virtual machine address, notifying a reporting node that the incoming packet was not received to facilitate performance of an action to reduce downtime of communication with the virtual machine over the network.

Abstract: Technology for configuring and executing a shallow virtual machine to enhance memory protection between different portions of user space memory of a particular computing process. An example method may involve: associating a computing process with a virtual machine data structure, wherein the computing process initiates an update to the virtual machine data structure to cause a processor to switch between a page table structures; loading first and second executable code into user space memory of the computing process, wherein a first page table structure comprises mapping data for the first and second executable code and wherein the second executable code comprises driver code of a device; updating the second page table structure to disable execution of the first executable code and to map a portion of the user space memory to the device; and restricting the first executable code from accessing the memory mapped device.

Abstract: Systems and methods for implementing guest-initiated announcement of virtual machine migration. An example method may comprise: receiving, by an origin hypervisor running on an origin computer system, a migration announcement of a virtual machine; copying at least a part of a state of the virtual machine to a destination computer system; and responsive to stopping the virtual machine on the origin computer system, causing a destination hypervisor running on the destination computer system to broadcast the migration announcement over a network associated with the destination computer system.

Abstract: Aspects of the disclosure provide for mechanisms for securing virtual machines in a computer system. A method of the disclosure includes: receiving a first resource request initiated by an application running on a virtual machine during initialization of the application; allocating, by a hypervisor, a resource to the application in view of the first resource; and in response to receiving a message indicating completion of the initialization of the application, blocking, by the hypervisor, at least one hypercall initiated by the virtual machine. The completion of the initialization of the application may correspond to initiation of execution of the application using the allocated resource.

Abstract: A hypervisor may identify that a virtual machine has been migrated to the hypervisor from another hypervisor. In response to identifying that the virtual machine has been migrated, the hypervisor may provide a notification message including one or more network addresses associated with the migrated virtual machine. The hypervisor may receive network traffic data and determine that the received network traffic data corresponds to a response message for at least one of the one or more network addresses associated with the migrated virtual machine. The hypervisor may determine that each of the one or more network addresses has not received the response message and provide a subsequent notification message.

Abstract: Systems and methods for implementing guest-initiated announcement of virtual machine migration. An example method may comprise: receiving, by an origin hypervisor running on an origin computer system, a migration announcement of a virtual machine; copying at least a part of a state of the virtual machine to a destination computer system; and responsive to stopping the virtual machine on the origin computer system, causing a destination hypervisor running on the destination computer system to broadcast the migration announcement over a network associated with the destination computer system.

Abstract: A hypervisor detects a virtual device configured by a virtual machine, generates a para-virtualized networking interface between the virtual device and a memory space within hypervisor memory, maps the memory space to a peripheral component interconnect (PCI) memory space of the virtual machine, and configures the memory space to be accessible to a physical device via direct memory access (DMA), where the physical device is associated with the virtual device of the virtual machine. The hypervisor then transfer packets between the virtual machine and the physical device using the para-virtualized networking interface.