usenix security10-rump session-suzaki
DESCRIPTION
Slide used at USENIX Security 2010 RUMP Session.Title is ""TRANSCRIPT
Security on Memory Deduplication (of IaaS cloud Computing)
K i S ki T hiki Y i K Iiji N A h Q h C ill A thKuniyasu Suzaki, Toshiki Yagi, Kengo Iijima, Nguyen Anh Quynh, Cyrille Artho
Research Center of Information Security
National Institute of Advanced Industrial Science and Technology
Memory Deduplication• Technique to share same content pages.
• Reduce consumption of physical memory.– It is very effective, when same guest OS runs on several VMs.
• On Virtual Machine Monitor– Disco[OSDI97] has Transparent Page Sharing
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
– VMWare ESX has Content-Based Page Sharing [SOSP02]
– Xen has Satori[USENIX09] and Differential Engine[OSDI08]• On Kernel
– Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09]
• Memory of Process(es) are deduplicated
• KVM uses this mechanism
Kuniyasu Suzaki USENIX Security 2010 Rump Session
Memory Deduplication strengthens OS
• Encourage to translate from dynamic-link to self-contained binary,because memory redundancy is shrunk by deduplication.– It mitigates some security problems caused by logical sharing:
Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell, Etc.p y
• “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine” [HotSec10] [USENIX Security10 Poster]
• In this rump session, I want to talk“Memory Deduplication has security problems”.
Kuniyasu Suzaki USENIX Security 2010 Rump Session
Memory Peeking between VMs
• When a write access is issued to a deduplicated page on a VM, a physical copy of the page is created. (CopyOnWrite)– It causes time difference between deduplicated and non-
deduplicated page.
• Attacker VM detects existence of a certain page on neighbor VMs.
• We developed methods of memory peeking on a VM.
• It is a kind of Cross VM Side Channel Attack [CCS09]– [CCS09] used CPU Cache which is shared by VMs
Kuniyasu Suzaki USENIX Security 2010 Rump Session
Problem for Attackers & us :-)• Exact match of 4KB page
– 4KB is too large
• Attacker has to prepare the same 4KB page
• Difficult for key Exposure
• Attacker can not decide which VM has the same page• Attacker can not decide which VM has the same page, when many VMs run.– [CCS09] can decide VM which is shared by Cache.
• Thread Model is weak?
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
Should we use memory peeking for defense on Multi-tenant Cloud Computing?• The memory peeking does not requires any penetration
on a target VM. It only measures the own memory access.
• It is used for – Detecting un-secure applications on VMs.– g pp
– Detecting illegal downloads.
• Merit: It does not care cryptographic communication.
– Detecting …
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
Please tell me
• Strong Thread Model for memory deduplication (4KB)
• Practical Usage of memory peeking for Defense
• Contact:– E-mail: [email protected]
– Twitter: @KuniSuzaki
– Slide: http://www.slideshare.net/suzaki
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory