1. Security on Memory Deduplication
(of IaaS cloud Computing)
Kuniyasu Suzaki, T hiki Y i K
K i S ki Toshiki Yagi, Kengo Iiji
Iijima, N
Nguyen Anh Quynh, C ill A th
A hQ h Cyrille Artho
Research Center of Information Security
National Institute of Advanced Industrial Science and Technology
2. Memory Deduplication
• Technique to share same content pages.
• Reduce consumption of physical memory.
– It is very effective, when same guest OS runs on several VMs.
• On Virtual Machine Monitor
– Disco[OSDI97] has Transparent Page Sharing
– VMWare ESX has Content-Based Page Sharing [SOSP02]
– Xen has Satori[USENIX09] and Differential Engine[OSDI08]
• On Kernel
Guest Physical Memory
– Linux has KSM (Kernel Samepage Merging) VM1 VM2 VM(n)
from 2.6.32 [LinuxSymp09]
• Memory of Process(es) are deduplicated
• KVM uses this mechanism
Kuniyasu Suzaki USENIX Security 2010 Rump Session
Real Physical Memory
3. Memory Deduplication strengthens OS
• Encourage to translate from dynamic-link to self-contained binary,
because memory redundancy is shrunk by deduplication.
– It mitigates some security problems caused by logical sharing:
Search Path Replacement Attack, GOT (Global Offset Table)
overwrite attack, Dependency Hell, Etc.
p y
• “Moving from Logical Sharing of Guest OS to Physical Sharing
of Deduplication on Virtual Machine” [HotSec10] [USENIX
Security10 Poster]
• In this rump session, I want to talk
“Memory Deduplication has security problems”.
Kuniyasu Suzaki USENIX Security 2010 Rump Session
4. Memory Peeking between VMs
• When a write access is issued to a deduplicated page on a
VM, a physical copy of the page is created. (CopyOnWrite)
– It causes time difference between deduplicated and non-
deduplicated page.
• Attacker VM detects existence of a certain page on
neighbor VMs.
• We developed methods of memory peeking on a VM.
• It is a kind of Cross VM Side Channel Attack [CCS09]
– [CCS09] used CPU Cache which is shared by VMs
Kuniyasu Suzaki USENIX Security 2010 Rump Session
5. Problem for Attackers & us :-)
• Exact match of 4KB page
– 4KB is too large
• Attacker has to prepare the same 4KB page
• Difficult for key Exposure
• Attacker can not decide which VM has the same page,
page
when many VMs run.
– [CCS09] can decide VM which is shared by Cache.
Guest Physical Memory
VM1 VM2 VM(n)
• Threat Model is weak?
Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory
6. Should we use memory peeking for
defense on Multi-tenant Cloud Computing?
• The memory peeking does not requires any penetration
on a target VM. It only measures the own memory access.
• It is used for
– Detecting un-secure applications on VMs.
g pp
– Detecting illegal downloads.
• Merit: It does not care cryptographic communication.
– Detecting … Guest Physical Memory
VM1 VM2 VM(n)
Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory
7. Please tell me
• Strong Threat Model for memory deduplication (4KB)
• Practical Usage of memory peeking for Defense
• Contact:
– E-mail: k.suzaki@aist.go.jp
– Twitter: @KuniSuzaki
– Slide: http://www.slideshare.net/suzaki Guest Physical Memory
VM1 VM2 VM(n)
Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory