From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: EuroSec'11 Presentation
Date: Mon, 11 Apr 2011 10:27:27 -0500
Message-ID: <4DA31DDF.7060605@codemonkey.ws>
References: <20110410.232340.01368317.k.suzaki@aist.go.jp>	<4DA1C390.10003@redhat.com>	<20110411.001930.73371943.k.suzaki@aist.go.jp> <BANLkTi=+tjG8dxvaqsw52ouGcR=6Z3Rw0w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Kuniyasu Suzaki <k.suzaki@aist.go.jp>, avi@redhat.com,
	kvm@vger.kernel.org
To: Stefan Hajnoczi <stefanha@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-yw0-f46.google.com ([209.85.213.46]:54035 "EHLO
	mail-yw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752111Ab1DKP1b (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 11 Apr 2011 11:27:31 -0400
Received: by ywj3 with SMTP id 3so2196832ywj.19
        for <kvm@vger.kernel.org>; Mon, 11 Apr 2011 08:27:31 -0700 (PDT)
In-Reply-To: <BANLkTi=+tjG8dxvaqsw52ouGcR=6Z3Rw0w@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 04/11/2011 03:51 AM, Stefan Hajnoczi wrote:
>> I'm happy to hear your comments.
>> The referee's comment was severe. It said there was not brand-new
>> point, but there are real attack experiences.  My paper was just
>> evaluated the detction on apahce2 and sshd on Linux Guest OS and
>> Firefox and IE6 on Windows Guest OS.
> If I have a VM on the same physical host as someone else I may be able
> to determine which programs and specific versions they are currently
> running.
>
> Is there some creative attack using this technique that I'm missing?
> I don't see many serious threats.

It's a deviation of a previously demonstrated attack where memory access 
timing is used to guess memory content.  This has been demonstrated in 
the past to be a viable technique to reduce the keyspace of things like 
ssh keys which makes attack a bit easier.

But it's a well known issue with colocation and the attack can be 
executed just by looking at raw memory access time (to guess whether 
another process brought something into the cache).

Regards,

Anthony Liguori

> Stefan
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html