| 摘要 |
Techniques are disclosed for increasing the security of a system where incoming network packets are directly placed into the memory space of a virtual machine (VM) operating system (OS) running on the system via direct memory access (DMA). In an embodiment, each packet is split into a first portion, which requires further processing, and a second portion, which may be immediately placed into the VM OS's memory address space. When the host OS running on the system completes processing the first portion, it places it directly before the second portion in the VM OS memory space and indicates to the VM OS that a packet is available. Techniques are further disclosed that mitigate the security risk in such systems related to VLAN ID configuration.
|
