From: Anthony Liguori <anthony@codemonkey.ws>
To: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Kuniyasu Suzaki <k.suzaki@aist.go.jp>,
avi@redhat.com, kvm@vger.kernel.org
Subject: Re: EuroSec'11 Presentation
Date: Mon, 11 Apr 2011 12:22:19 -0500 [thread overview]
Message-ID: <4DA338CB.5050708@codemonkey.ws> (raw)
In-Reply-To: <BANLkTi=di8-7U9x6_FQOKxHdXqV2bG333w@mail.gmail.com>
On 04/11/2011 11:25 AM, Stefan Hajnoczi wrote:
> On Mon, Apr 11, 2011 at 4:27 PM, Anthony Liguori<anthony@codemonkey.ws> wrote:
>>
>> It's a deviation of a previously demonstrated attack where memory access
>> timing is used to guess memory content. This has been demonstrated in the
>> past to be a viable technique to reduce the keyspace of things like ssh keys
>> which makes attack a bit easier.
> How can you reduce the key space by determining whether the guest has
> arbitrary 4 KB data in physical memory?
I'm not sure that you can. But the way the cache timing attack worked
is that by doing a cache timing analysis in another process that's
sharing the cache with a process doing key generation, you can make
predictions about the paths taken by the key generation code which let's
you narrow down the key space.
Of course, even this is extremely hard to exploit because you need to
happen to be sharing a cache with something that's doing ssh key
generation, you have to know when it starts and when it ends, and you
have to know exactly what version of ssh is running. And even then,
it's just reduces the time needed to brute force. It still takes a long
time.
I think knowing whether a 4kb page is shared by some other guest in the
system is so little information that I don't see what you could
practically do with it that can't already be done via a cache timing attack.
Regards,
Anthony Liguori
> Stefan
prev parent reply other threads:[~2011-04-11 17:22 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-10 14:23 EuroSec'11 Presentation Kuniyasu Suzaki
2011-04-10 14:49 ` Avi Kivity
2011-04-10 15:19 ` Kuniyasu Suzaki
2011-04-11 8:51 ` Stefan Hajnoczi
2011-04-11 15:26 ` Kuniyasu Suzaki
2011-04-11 15:27 ` Anthony Liguori
2011-04-11 15:46 ` Kuniyasu Suzaki
2011-04-11 15:48 ` Avi Kivity
2011-04-11 16:01 ` Kuniyasu Suzaki
2011-04-13 18:04 ` Andi Kleen
2011-04-11 17:19 ` Anthony Liguori
2011-04-12 13:16 ` Kuniyasu Suzaki
2011-04-11 16:25 ` Stefan Hajnoczi
2011-04-11 17:22 ` Anthony Liguori [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DA338CB.5050708@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=avi@redhat.com \
--cc=k.suzaki@aist.go.jp \
--cc=kvm@vger.kernel.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox