From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: EuroSec'11 Presentation Date: Mon, 11 Apr 2011 12:19:10 -0500 Message-ID: <4DA3380E.7040506@codemonkey.ws> References: <20110411.001930.73371943.k.suzaki@aist.go.jp> <4DA31DDF.7060605@codemonkey.ws> <20110412.004641.91284108.k.suzaki@aist.go.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: stefanha@gmail.com, avi@redhat.com, kvm@vger.kernel.org To: Kuniyasu Suzaki Return-path: Received: from mail-gy0-f174.google.com ([209.85.160.174]:54945 "EHLO mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752754Ab1DKRTN (ORCPT ); Mon, 11 Apr 2011 13:19:13 -0400 Received: by gyd10 with SMTP id 10so2231184gyd.19 for ; Mon, 11 Apr 2011 10:19:13 -0700 (PDT) In-Reply-To: <20110412.004641.91284108.k.suzaki@aist.go.jp> Sender: kvm-owner@vger.kernel.org List-ID: On 04/11/2011 10:46 AM, Kuniyasu Suzaki wrote: > >> But it's a well known issue with colocation and the attack can be >> executed just by looking at raw memory access time (to guess whether >> another process brought something into the cache). > Thank you for comments. > The memory disclosure attack can be prevented by several ways mention in my "Countermeasure" side (Page 22). Not to be discouraging, but this class of attacks (side channel information disclosures) is very well known and very well documented. Side channel attacks are extremely difficult to use from a practical perspective. First, you have to know that your target is colocated with you and that you are actually sharing a resource. Second, you have to be able to exploit the additional information you've gathered. This type of attack is just as application to any multi-user environment and is not at all unique to virtualization. > If we limit KSM on READ-ONLY pages, we detect and prevent the attack. > I also think most memory deduplication is on READ-ONLY pages. There's really no point about worrying about these sort of things. Either you're not going to colocate, you'll colocate and do the best you can with what the hardware provides (socket isolation, no KSM, etc.), or you're no going to worry about these types of things. Again, it is extremely difficult to use side channel information disclosures to actually exploit anything. If you are worried about this level of security, you shouldn't be using x86 hardware as more advanced hardware has more rigorous support for protecting against these sort of things. Regards, Anthony Liguori > ------ > Kuniysu Suzaki >