The Xen Project has released version 4.6 of its hypervisor project that helps power Amazon EC2 and other major cloud providers.
Security on Xen systems is an ongoing concern, so many of the upgrades focus on closing existing bugs and adding proactive features that would have been difficult to implement before.
Consider Xen's memory event subsystem, which handles requests to and responses from a VM's memory space. Version 4.6 has a new VM event subsystem so that changes to memory or registers within a VM can be tracked without requiring a lot of overhead. Xen's suggested uses for this feature include "zero-footprint guest introspection, host-wide monitoring, and many others," although actual implementation falls mainly to those deploying Xen.
Xen is a cross-platform project, so much of the new functionality is available for both Intel x86 and ARM architectures. The majority of the ARM-specific updates involve expanded support for specific hardware platforms, but the x86 edition of Xen 4.6 supports acceleration and security functions specific to Intel processors.
Among those features is Cache Allocation Technology, which allows VMs to use a larger slice of the CPU's L3 cache; and Memory Bandwidth Monitoring, which determines if a VM on a host is using a disproportionate share of memory bandwidth. The payoff: Xen hosts can more intelligently manage loads, either by dedicating more memory to a given VM on demand or by flagging a VM as a candidate for migration to another physical machine.
Another security-related addition is support for Trusted Platform Module (TPM) extensions on x86 hardware, functionality provided by BitDefender. Xen guests can interact with a software-emulated TPM backed by the physical TPM on the host; secrets stored in the emulated TPM are managed in the physical one as well.
[The original version of this article incorrectly identified the National Security Administration as the contributor of the TPM functionality to Xen. The Linux Foundation has since informed us that "In our original blog post, we noted that the NSA contributed to vTPM 2, but this was an error on our part. vTPM v2.0 was developed by Intel with the help by BitDefender."]