Customizable Multimedia Devices in Virtual Environments

Ankur Pai, Balasubramanian Seshasayee, Himanshu Raj and Karsten Schwan Center for Experimental Research in Computer Systems Georgia Institute of Technology Atlanta, Georgia 30332–0250 {paiankur, bala, rhim, schwan}@cc.gatech.edu

Abstract—The separation of logical from physical devices maintain a consistent view of physical devices by presenting provided by modern virtualization techniques can be used to only a common minimal set of device features is too limiting enhance device functionality, including by emulating non-native and worse, it cannot account for changes in the environmental device functions in software. Such logically extended devices are particularly promising in the mobile domain, for embedded conditions or contexts in which devices are used. machines, handhelds, or phones. Challenges arise, however, from We argue that device sharing and interoperation in mobile the highly heterogeneous nature of portables and the devices with systems requires models and interfaces with which virtual- which they can interact. This suggests that device extensions ization infrastructures can dynamically change device func- should be dynamic, varied at runtime to adjust to new user needs and/or changes in environmental conditions. This paper tionality to account for runtime changes in device use, con- presents a model for runtime device extension and for then using ditions, and contexts. This paper presents such a model. It such extended devices. The model provides uniform interfaces to implements the safe, runtime extension of device functionality, native and extended devices, permits the safe runtime extension by enabling the virtualization layer, guest operating systems, of device functionality, and can be shown to operate across both or applications to safely specify and deploy custom code that stationary and mobile platforms, and arbitrary operating systems and applications. The model is implemented with the Xen virtual runs in conjunction with device accesses. This approach entails machine monitor (VMM) and shown useful for a Video4Linux a number of benefits, as detailed below: (V4L) multimedia device used by applications. Enhancements of • device functionality implemented in this context include image It provides a uniform view of devices to VMs, indepen- filtering and routing to remote clients, for camera devices using dent of the physical host. For instance, a TCP network V4L drivers and for applications using V4L, with small costs device may be implemented in software, by providing the incurred for runtime extension and/or changes to the logical TCP stack to the virtualization layer, or in hardware, by device, and with moderate execution costs exploiting the TCP offloading functions of an enhanced I. INTRODUCTION network interface [7]. The VMs using such a device need not be cognizant of how the TCP device is realized. Virtualization techniques enable a single device to be shared • It can be tuned to available hardware resources. For among several virtual machines (VMs), by deciding, at the instance, in the previous example, a node lacking a driver layer, how requests made to the virtual device are network interface supporting the offloading feature may mapped to the underlying physical platform. These decisions instead have a coprocessor that can be used to implement can be made without knowledge of the applications and the feature [3], without the VM being aware of this fact. operating systems using these devices, thereby ensuring porta- • It enables efficient use of remote devices. For instance, bility and interoperability without changes to participating an imaging application that requires only those frames systems and applications. Furthermore, this approach makes captured by a remote camera that contain specific fea- it possible to emulate, in software, devices that may not be tures can provide feature selection code that determines present physically [1], to transparently route requests to remote said features. Such an extension can use this code to devices when local ones are not available [2], and to even filter traffic, providing only the frames of interest to improve the functionality of physical devices by enhancing the application, thereby reducing communication and their virtual realization [3], [4]. computational overheads experienced by the application This paper addresses device sharing and interoperation in and the platform on which it runs [8]. the mobile domain, where challenges for device emulation • It opens up new possibilities for sharing device func- and extension are due to the diversity of actual devices, of tionality. Extending the previous example, when multiple device capabilities, and of the contexts in which they operate. VMs are interested in the same image features, common Additional challenges in the mobile domain are caused by the data can be shared at the device driver layer itself. fact that virtual machine migration, an important function in virtualized systems, will be difficult [5] without functionality A known problem associated with the runtime extension in addition to that provided by commercial products for data of system-level software by applications is safety [9], where centers [6]. For instance, an approach that allows VMs to faulty or even malicious code injected by applications into the Fig. 1. VMedia Architecture system layer can affect the behavior of other VMs that rely of the underlying hardware used to access the physical de- on the system. In our implementation, termed CustomCam, vice (such as PCI, USB, etc., or even network-based remote we use the split device driver model afforded by the Xen cameras), and instead, via V4L calls. The MediaGraph ab- hypervisor, on which we implement an overlay-based mid- straction used in VMedia further enhances this approach by dleware framework in the device backend (i.e., in the device allowing flexible mappings to be performed between logical driver layer). This middleware permits the runtime extension and physical devices. For instance, the size of a captured of overlay functions by allowing arbitrary code fragments to image may be enhanced by using concatenated images from be included into the overlay, i.e., into the device feature set, two physical cameras. MediaGraph also encourages increased at any time deemed appropriate by the application. Safety sharing among VMs, where based on the type of images is attained by use of dynamic code generation, where code desired by several VMs, opportunities to share the images fragments specified in a safe subset of the C language [10], are exploited by performing software-based transforms on and runtime binary code generation guarantees that such code captured images, thus reducing contention on the physical cannot damage other elements of the device driver layer. Ex- device. perimental results indicate that the cost of setting and resetting VMedia uses the Xen split driver model to separate logical such custom code is small (16ms and 1.2ms, respectively, from physical devices. As shown in Figure 1, it has a logical for the codes used in our experimentation). Further, running V4L-based video device driver as a frontend within each guest the custom code in the driver layer does not add significant domain, and a backend running in the service domain. Xen overheads to the layer’s execution. Results also show that links frontend and backend via an efficient messaging system, sharing custom codes among multiple applications and the termed event channels, and data transfers are carried out using VMs that run them can yield savings compared to domain- shared pages. The backend interacts with the physical device level implementations of such functions. and provides device data to the frontend. In VMedia, the The remainder of the paper is organized as follows. Sec- backend uses the EV(ent)Path [11] overlay-based middleware tion II overviews VMedia, followed by Section III, which framework to implement the communication and computation discusses the architecture of CustomCam. Isolation and shar- actions necessary to extend Xen’s basic virtualized devices to ing properties of CustomCam are discussed in Sections IV our device model. With this middleware, device accesses are and V respectively. Section VI discusses typical usage sce- performed via overlay graphs composed of software entities, narios for CustomCam, and experimental results are shown in termed ‘stones’, that handle and process device messages Section VII. Related work is covered in Section VIII, while (events) traversing the overlay linking backend to physical Section IX concludes the paper. device. With EVPath and in contrast to Xen’s event-based VM- VM communication mechanism, linkages between stones can II. VMEDIA OVERVIEW extend across multiple machines and as stated above, compu- CustomCam is built on top of the VMedia framework tations can be performed as events traverse the overlay. In this ( [4]). VMedia is a multimedia sharing framework that presents fashion, higher level services or applications are composed as logical video devices to VMs, via the standard V4L interface. sets of computations that can filter events, forward them, or Consequently, device virtualization is carried out independent transform them. Because these computations are specified in ECL (a subset of the C language supporting loop, conditional, In addition to the isolation mechanism, guest VMs can also and return statements), they can serve the needs of individual benefit from recovery functionality. To handle cases where a applications and diverse devices. Further, ECL uses dynamic VM ends up corrupting its custom functionality because of binary code generation to deploy specified computations into malicious code, the parent process can periodically check the stones, supporting an anywhere, anytime code deployment status of its children processes and create a new process to model. Finally, for complex computations, the option exists continue serving the VM. On the other hand, the designer to associate pre-compiled shared object modules with stones. can also decide to notify the affected VM via an error code, Jointly, these features constitute a powerful means for dy- on the next operation performed, thus allowing the VM to namically extending the methods used for device access and take its own recovery actions. The error notification already control. We next explain how these are used to create custom supported by CustomCam can be easily extended to perform camera devices in mobile settings. such recovery. Although custom functionality is performed in separate III. CUSTOMCAM ARCHITECTURE address spaces, such function are always run within the service Extending the basic V4L API, CustomCam provides an domain, or dom0 – the domain that handles all device I/O. We ioctl interface to the video driver for managing custom exploit this fact to implement performance isolation. Specif- functionality, adding the request codes VIDIOSCUSTOM and ically, since dom0 implements the functionality on behalf of VIDIOGCUSTOM to the existing set of V4L codes. These the corresponding VM, accounting is performed by having commands are used to set and get the custom functions each child process in dom0 periodically track its resource associated with CustomCam, respectively. The prototypes of usage, using the SystemV getrusage() call. It shares this these calls are as follows: information with the VMM via hypercalls. In Xen, the VMM, int fd; then, can use this information to track the resource usage char *func; (and limit it, if needed) in the driver domain by each guest int ioctl(fd, VIDIOSCUSTOM, func); // set VM. This information, in conjunction with the information int ioctl(fd, VIDIOGCUSTOM, func); // get the Xen scheduler already maintains about the guest VM (i.e., time spent in various runstates – running, runnable, A custom code, represented as an ECL function, is passed as blocked and offline) can then be used to ensure fair resource a string argument. The first call sets the custom function to allocation across each guest VM and the associated dom0 the string passed as func, whereas the second call obtains resident device extension functionality required/used by the the current custom code. An example ECL function is shown guest. An extension of this functionality can provide support in Section VI. for Quality of Service (QoS), by making the underlying VM The overall architecture of CustomCam is illustrated with an scheduler aware of the QoS needs of individual VMs. example in Figure 2. Implemented as an extension of VMedia, CustomCam is shown serving three domains, dom1-3, all V. SHARING IN CUSTOMCAM using the custom functionality feature. Stones are represented A potential advantage of solutions like CustomCam is the as ovals/circles. On the receipt of a VIDIOSCUSTOM ioctl ability to share code and code executions across multiple call, the backend creates a new process (process1 in the figure, clients. In CustomCam, the results of certain custom code for domain dom1), and creates a stone within the process, could be shared by several mutually trusting domains that deploying the given custom function to it. Next, it also makes require the same functionality. This is achieved by maintaining the connections between output from the VMedia backend, as a list of the custom codes set by VMs. If a new VM requests well as to the domain-specific backend. The domain-specific setting a custom code, it compares this against the list, and backend is linked with the frontend using Xen’s event channel if a match is found, the overlay’s stones are appropriately mechanism. In the absence of the VIDIOSCUSTOM call, the linked in order to share the same resources. The current output from the VMedia backend is directly sent to the implementation uses a simple string-based comparison of the frontend, without any overheads. A NULL function passed codes, but a more sophisticated matching mechanism based via the VIDIOSCUSTOM call undoes any previous custom on formal methods can be used to detect nonidentical codes functionality already set, by freeing the stones and terminating with the same functionality. In the example shown in Figure 2, the corresponding process. domains dom2 and dom3 share the custom code defined by g(). IV. CODE ISOLATION AND ACCOUNTING Since isolation is absent, it is important that only mutually In order to conform with the goals of virtualization, namely, trusting domains share their resources. Furthermore, in such providing isolation between VMs, every custom function is cases, the resources spent in executing the custom code are ac- executed in a separate address space. As a result, a VM counted for equally across all the domains sharing it. We have injecting malicious code will end up corrupting only its own not yet considered more sophisticated accounting methods. A device accesses, and other VMs are not affected. This allows related problem addressed by CustomCam is code reuse, where mutually untrusting VMs to share the same device, with the custom codes previously used by a domain are not discarded illusion of exclusivity maintained. but saved for future use [12]. In response to new domains V4L dom1 f() frontend

process1 V4L dom2 VMedia frontend backend

g() V4L dom3 frontend

process2 dom0

Fig. 2. CustomCam Example Usage requesting the same custom code, the existing resources are only if the area is lit, it may select a custom code that simply reused, thereby speeding up code deployment. performs this check and returns the image only if the check is successful. This functionality is particularly useful when the VI. CUSTOMCAM USAGE SCENARIOS camera is remote because unnecessary frames discarded ‘at the source’ do not needlessly use potentially scarce network CustomCam currently accepts ECL-based custom codes. An resources. Further, though ECL codes allow some state to be example ECL code for performing grayscaling is shown below. maintained, it is primarily used for event-based computation, { and hence, no state is assumed. This is especially important int col; with VM migration. CustomCam maintains the state of the int row; device entirely in the frontend, and hence state-maintenance int indx; during migration is handled by the VMM. int outIndx; CustomCam makes it easy to use specialized hardware. For int tmp; example, in the presence of an on-board DSP processor, some image processing functions specified via ECL can be executed output.width = input.width; directly on the specialized processor. In mobile domains, this output.height = input.height; can also be realized by offloading this functionality to a indx = 0; nearby, more powerful processor. Allowing the CustomCam outIndx = 0; implementation to make such choices based on currently for (row = 0; row < input.height; available hardware frees the individual guest domains and their row = row + 1) { applications from adapting to platform specifics, including for ( col = 0; col < input.width; during VM migration. col = col + 1) { The concepts embedded in CustomCam can be extended tmp = 0.5 + (0.299 * input.buff[indx] to other sensor devices. Since applications using sensor data + 0.587 * input.buff[indx+1] typically perform continuous data acquisition and processing, + 0.114 * input.buff[indx+2]); they can potentially benefit from use-specific device customiz- output.buff[outIndx] = tmp; ability. indx = indx + 3; VII. EXPERIMENTAL EVALUATION outIndx = outIndx + 1; } We evaluate CustomCam on a system with 3.2GHz dual- } core Pentium-D processor and 3GB of RAM. To this machine output.size = output.width*output.height; is attached a Kensington SE401 USB-based camera. The return 1; service VM (Dom0) running the VMedia runtime is allocated } 512 MB RAM and one of the physical CPUs, and runs the Linux 2.6.16 kernel. The other CPU is shared among guest This ECL function accepts an input and an output VMs, as determined by Xen’s scheduling policy. The VMM image as its parameters, and returns an integer value. This virtualizing the desktop system is Xen version 3.0.4 [13]. return value determines whether the image should be further First, we conduct microbenchmarks on the ioctl() processed or dropped. This is useful, for instance, when an operations supported by CustomCam. This consists of a application requires images conditionally. An example is an VIDIOSCUSTOM, VIDIOGCUSTOM and a NULL call that application monitoring an area of interest that may be lit undoes the operations of a VIDIOSCUSTOM. The results are or not. If the application desires images from the camera shown in Table I. Operations Cost (ms) 120 VIDIOSCUSTOM 16.11 Raw Read CustomCam Transform Process creation and setup 11.96 Userspace Transform EVPath operations 4.11 115 Miscellaneous 0.04 VIDIOSCUSTOM (Sharing) 0.12 110 VIDIOGCUSTOM 0.03

Undo VIDIOSCUSTOM 1.16 105 TABLE I COSTS OF CUSTOMCAM ioctl OPERATIONS 100 Latency (ms) 95

90

85

80 0 20 40 60 80 100 120 140 160 180 200 Read (#)

Fig. 4. Read Latencies for Various Schemes

Fig. 3. CustomCam vs. User-space Transformation

As shown, process creation takes up roughly 75% of the overall cost of setting up the custom code, and EVPath operations take up most of the rest, with an overall cost of about 16.11ms. Since only the first such call needs to perform these actions, with all subsequent calls simply sharing the same process and stones, subsequent calls require only 0.12ms. Undoing the VIDIOSCUSTOM call, i.e., freeing the process Fig. 5. Jitter Comparison and the stones, costs roughly 1.16ms, whereas getting the custom code is a very light-weight operation, since it involves only a send to the appropriate domain. Next, we apply example custom codes and compare them against executing the respective code within the domain. Figure 3 shows these costs for three image transformation codes drawn from real world applications – grey scaling, linear contrast scaling and edge detection. On average, the performance attained using CustomCam is very close to that when transformation is performed within a domain, in user space. It is to be noted that these ECL codes were hand optimized due to the absence of many optimizations in binary code generation. Since the binary code generator is designed to be invoked during run-time and has a limited memory footprint, its output is unable to match compiler generated code’s optimizations. This can be rectified by enabling the execution of functions in shared objects. The loss in portability of such a scheme is traded off against the gain in code performance. Fig. 6. Remote vs. Local Access Figure 4 plots the latency observed for each read access, over multiple reads performed continuously. Three cases – (i) provide safety properties [9]. In contrast, practical techniques reading the image, (ii) reading the image when transformation like those used by kernel plugins [18] exploit certain features is handled by the CustomCam, and (iii) reading the image of computer architectures to guarantee isolation between ex- with transformation handled by the user space – are compared. tensions and OS kernels. Our work uses a combination of The figure shows that with CustomCam, the jitter is mostly language safety and hardware support to isolate the extensions comparable to and only slightly higher than for the other performed by different applications and to continue to guar- two cases. Since the transformation action runs in the user antee safe operation when extensions are faulty or malicious. space of a different domain(dom0) in CustomCam, scheduling The Nooks project [19] extends this idea to isolate device actions on both the domains affect the latency of its reads. drivers into lightweight protection domains inside the kernel However, Figure 5 shows the effect of number of VMs on address space, and further restarts a failed driver transparent the jitter observed. Grey scaling is used as the transformation, to the client. The idea of isolating device drivers into their and with CustomCam, this code is shared among the VMs. own VMs has also been studied previously [20]. Jitter is measured as the standard deviation of read latencies. As discussed previously, the concepts discussed in this paper As the number of VMs is increased, the jitter experienced by are implemented using the VMedia multimedia virtualization CustomCam and raw reads stays almost constant, whereas with framework [4]. While VMedia addresses media devices, its user space transformation, the value increases rapidly. These concepts can also be used to virtualize arbitrary devices and benefits are achieved due to sharing: as CustomCam allows services [21]. Finally, some of the concepts presented in this different VMs to perform their transformations in a centralized paper have been evaluated for a kernel-level implementation, manner, repeated switching among VMs is reduced. with the CameraCast [22] set of mechanisms, which enforce The final portion of the experiments are conducted across capability based differential data protection on remote multi- two instances of CustomCam, running in two separate nodes media feeds, exploiting the aforementioned kernel plugins [18] linked by a Gigabit ethernet switch. A domain served by isolation mechanism. CustomCam makes use of a remote camera, which is phys- The concept of extended or ‘smart’ devices has been shown ically accessed by another instance of CustomCam. Reads useful in many other contexts, including with our own work on are performed on the devices repeatedly and the latencies self-virtualizing network interfaces and on smart NICs [23], measured. As seen in Figure 6, remote reads incur slightly the latter performing application-specific processing of net- higher latency and jitter than local ones. The remote Custom- work packets at the device level, thereby freeing the CPU Cam implementation has a slightly higher cost and jitter than to perform other work [24]. ‘Smart’ devices have also been performing a remote read and carrying out the transformation shown useful for storage [25]. itself locally, in user-space. However, if the transformation can IX. CONCLUSIONS & FUTURE WORK also perform filtering – i.e., selectively allowing remote images depending on their content, unnecessary reads can be avoided. This paper discusses customizable multimedia devices in a CustomCam allows this functionality whereas the user-space virtualized environment. Customization is achieved by allow- transformation does not, ing any VM using the device to specify functions to be applied to data handled by the device. The design also allows for VIII. RELATED WORK sharing these custom function among several mutually trusting The extension of data streams with application-specific VMs. codes has been studied at multiple levels of abstraction. At The work described here is part of a larger research effort the network level, in Active Networks [12], code injected by on I/O virtualization( [21]), including multimedia devices [4], a user to a router operates on and possibly modifies, packets object-based storage [26], and remote devices [27]. Our current passing through it. Further, Smart Messages [14] enable user- & future efforts focus on the efficient addition of functionality defined distributed applications to execute over a wireless to I/O virtualization techniques, and on combining services network of embedded systems. At middleware levels, runtime with existing device functionality to further provide enhanced code injection is a key part of publish-subscribe software features to logical devices. With the availability of different de- (e.g., ECho [15]), which uses this to filter and modify events, vice types in the mobile domain and the increasingly complex based on a subscriber’s requirements. CustomCam exploits the applications using them, benefits concerning interoperability methods used in ECho to implement this, namely, via ECL are substantial, but challenges remain due to hardware resource codes [10]. Though ECL does not guarantee type-safety, other limitations and the need to efficiently manage interoperation, type-safe implementations (e.g., Cyclone [16]) could also be sharing and extension. used. REFERENCES Safety properties must be guaranteed when applications are [1] J. Sugerman, G. Venkitachalam, and B.-H. Lim, “Virtualizing I/O permitted to extend trusted domains. Proof carrying code [17] Devices on VMware Workstation’s Hosted Virtual Machine Monitor,” is one way to attain safety, whereby the code carries a ‘proof’ in Proc. of USENIX ATC, 2001. generated by a certifying compiler, that the code satisfies the [2] S. Kumar, S. Agarwala, and K. Schwan, “Netbus: A Transparent Mechanism for Remote Device Access in Virtualized Systems,” properties an agreed safety policy. The proof can then be Georgia Tech, Tech. Rep. GIT-CERCS-07-08, 2008. [Online]. Available: verified, prior to execution. Safe languages are another way to http://www.cercs.gatech.edu/tech-reports/tr2007/git-cercs-07-08.pdf [3] H. Raj and K. Schwan, “High Performance and Scalable I/O Virtualiza- tion via Self-Virtualized Devices,” in Proc. of HPDC, 2007. [4] H. Raj, B. Seshasayee, and K. Schwan, “Vmedia: Enhanced multimedia services in virtualized systems,” in Proceedings of Multimedia Comput- ing and Networking, 2008. [5] H. Raj et al., “Spirits: Using virtualization and pervasiveness to manage mobile robot software systems,” in SelfMan, 2006. [6] “The VMWare ESX Server,” http://www.vmware.com/products/esx/. [7] H. youb Kim and S. Rixner, “Tcp offload through connection handoff,” in Proc. of EuroSys, 2006. [8] F. Bustamante, G. Eisenhauer, P. Widener, K. Schwan, and C. Pu, “Active streams: An approach to adaptive distributed systems,” in HotOS, 2001. [9] B. Bershad et al., “Extensibility safety and performance in the spin operating system,” in SOSP, 1995. [10] G. Eisenhauer, “Dynamic code generation with the e-code language,” College of Computing, Georgia Institute of Technology, Tech. Rep. GIT- CC-02-42, 2002. [11] “EVPath,” http://www.cc.gatech.edu/systems/projects/EVPath/. [12] T. von Eicken, D. E. Culler, S. C. Goldstein, and K. E. Schauser, “Active messages: a mechanism for integrated communication and computation,” in Proceedings of International Symposium on Computer Architecture, 1992. [13] I. Pratt et al., “Xen 3.0 and the Art of Virtualization,” in Proc. of the Ottawa Linux Symposium, 2005. [14] P. Kang, C. Borcea, G. Xu, A. Saxena, U. Kremer, and L. Iftode, “Smart messages: A distributed computing platform for networks of embedded systems,” The Computer Journal, vol. 47, no. 4, 2004. [15] G. Eisenhauer, F. E. Bustamante, and K. Schwan, “Event services in high performance systems,” Cluster Computing: The Journal of Networks, Software Tools, and Applications, vol. 4, no. 3, 2001. [16] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Chene, and Y. Wang, “Cyclone: A safe dialect of c,” in USENIX Annual Technical Conference, 2002. [17] G. C. Necula and P. Lee, “Safe kernel extensions without run-time checking,” in Proceedings of the Operating System Design and Imple- mentation, 1996. [18] I. B. Ganev, G. Eisenhauer, and K. Schwan, “Kernel plugins: When a vm is too much,” in Virtual Machine Research and Technology Symposium, 2004. [19] M. Swift, M. Annamalai, B. Bershad, and H. Levy, “Recovering Device Drivers,” ACM Transactions on Computer Systems, November 2006. [20] J. LeVasseur, V. Uhlig, J. Stoess, and S. Gtz, “Unmodified device driver reuse and improved system dependability via virtual machines,” in Proc. of OSDI, 2004. [21] H. Raj, S. Kumar, B. Seshasayee, R. Niranjan, A. Gavrilovska, and K. Schwan, “Enabling semantic communications for virtual machines via iconnect,” in International Workshop on Virtual Technologies in Distributed Computing, 2007. [22] J. Kong, I. Ganev, K. Schwan, and P. Widener, “Cameracast: Flexible access to remote video sensors,” in Multimedia Computing and Net- working (MMCN'07), San Jose, CA, USA, Jan. 2007. [23] M. Adiletta, M. Rosenbluth, D. Bernstein, G. Wolrich, and H. Wilkin- son, “The next generation of the intel ixp network processors,” Intel Technology Journal, vol. 6, no. 3, 2002. [24] A. Gavrilovska, S. Kumar, K. Schwan, and S. Sundaragopalan, “Platform overlays: Enabling in network stream processing in largescale distributed application,” in NOSSDAV, 2005. [25] A. Acharya, M. Uysal, and J. Saltz, “Active disks,” in Proceedings of the Conference on Architectural Support for Programming Languages and Operating Systems, 1998. [26] H. Raj and K. Schwan, “O2s2: Enhanced object-based virtualized storage,” Georgia Institute of Technology, Tech. Rep. GIT-CERCS-07- 22, 2007. [27] S. Kumar, S. Agarwala, and K. Schwan, “Netbus: A transparent mecha- nism for remote device access in virtualized systems,” Georgia Institute of Technology, Tech. Rep. GIT-CERCS-07-08, 2007.