High Assurance Virtualization Engine (HAVEN)
This FPGA-based virtualization engine addresses the reliability, performance, and security limitations of current software-based virtualization technologies.
Virtualization technology has been around since the late 1960s. Initially, it was conceived to maximize utilization of expensive hardware by running multiple instances of an operating system (OS) using virtual machines (VM). In the past decade, virtualization has become popular due to its cost and space-saving advantages.
Virtualization consolidates underutilized servers and workstations while maintaining isolation. For software developers, virtualization provides an environment to develop, test, and debug system software such as kernel and device drivers. Traditionally, separate computers were required to develop and test system software. Virtualization also allows developers to test the reliability of an application by simulating hardware bottlenecks and failures.
HAVEN (High Assurance Virtualization ENgine) is a field programmable gate array (FPGA)-based virtualization technology that implements much of the traditional hypervisor functionality in FPGAs instead of in software. HAVEN was prototyped using FPGA-based secure co-processing to address the limitations of current virtualization technologies. Specifically, HAVEN:
- Increased reliability via a hardwareassisted virtual I/O subsystem for each VM.
- Improved performance by minimizing context switches back to the controller VM and by using a hardware virtual I/O manager.
- Improved security by protecting storage and communication channels using FPGA assisted encryption and authentication. The high assurance virtualization platform will enable:
- Use of virtualization in mission-critical and high-assurance applications.
- High-assurance/high-performance computing platform that provides application- level compartmentalization.
There are two main parts to HAVEN: a Secure Virtual I/O Manager (SIM) and a Secure Memory Manager (SMM). The SIM implements a virtual PCI controller along with multiple virtual Network Interface Cards (NICs) in conjunction with independent data buffers on a single FPGA. The CPU sees multiple NICs even though there is only one true physical card. The SMM registers a memory range with the CPU and ensures that all memory managed by the SMM is encrypted and only decrypted when it is moved to the CPU cache.
This work was done by Ramesh Karri, Nasir Memon, Vikram Padman, and Pratik Mathur of the Polytechnic Institute of NYU for the Air Force Research Laboratory. For more information, download the Technical Support Package (free white paper) at www.defensetechbriefs.com/tsp under the Electronics/Computers category. AFRL-0142
This Brief includes a Technical Support Package (TSP).
High Assurance Virtualization Engine (HAVEN)
(reference AFRL-0142) is currently available for download from the TSP library.
Don't have an account? Sign up here.
Top Stories
INSIDERManned Systems
Turkey's KAAN Combat Aircraft Completes First Flight - Mobility Engineering...
INSIDERMaterials
FAA Expands Boeing 737 Investigation to Manufacturing and Production Lines -...
INSIDERImaging
New Video Card Enables Supersonic Vision System for NASA's X-59 Demonstrator -...
INSIDERManned Systems
Stratolaunch Approaches Hypersonic Speed in First Powered TA-1 Test Flight -...
INSIDERUnmanned Systems
Army Ends Future Attack and Reconnaissance Helicopter Development Program -...
ArticlesEnergy
Can Solid-State Batteries Commercialize by 2030? - Mobility Engineering...
Webcasts
AR/AI
From Data to Decision: How AI Enhances Warfighter Readiness
Energy
April Battery & Electrification Summit
Manufacturing & Prototyping
Tech Update: 3D Printing for Transportation in 2024
Test & Measurement
Building an Automotive EMC Test Plan
Manufacturing & Prototyping
The Moon and Beyond from a Thermal Perspective
Software
Mastering Software Complexity in Automotive: Is Release Possible...