Security on Memory Deduplication (of IaaS cloud Computing)

K i S ki T hiki Y i K Iiji N A h Q h C ill A thKuniyasu Suzaki, Toshiki Yagi, Kengo Iijima, Nguyen Anh Quynh, Cyrille Artho

Research Center of Information Security

National Institute of Advanced Industrial Science and Technology

Memory Deduplication• Technique to share same content pages.

• Reduce consumption of physical memory.– It is very effective, when same guest OS runs on several VMs.

• On Virtual Machine Monitor– Disco[OSDI97] has Transparent Page Sharing

VM1 VM2 VM(n)

Real Physical Memory

Guest Physical Memory

– VMWare ESX has Content-Based Page Sharing [SOSP02]

– Xen has Satori[USENIX09] and Differential Engine[OSDI08]• On Kernel

– Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09]

• Memory of Process(es) are deduplicated

• KVM uses this mechanism

Kuniyasu Suzaki USENIX Security 2010 Rump Session

Memory Deduplication strengthens OS

• Encourage to translate from dynamic-link to self-contained binary,because memory redundancy is shrunk by deduplication.– It mitigates some security problems caused by logical sharing:

Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell, Etc.p y

• “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine” [HotSec10] [USENIX Security10 Poster]

• In this rump session, I want to talk“Memory Deduplication has security problems”.

Kuniyasu Suzaki USENIX Security 2010 Rump Session

Memory Peeking between VMs

• When a write access is issued to a deduplicated page on a VM, a physical copy of the page is created. (CopyOnWrite)– It causes time difference between deduplicated and non-

deduplicated page.

• Attacker VM detects existence of a certain page on neighbor VMs.

• We developed methods of memory peeking on a VM.

• It is a kind of Cross VM Side Channel Attack [CCS09]– [CCS09] used CPU Cache which is shared by VMs

Kuniyasu Suzaki USENIX Security 2010 Rump Session

Problem for Attackers & us :-)• Exact match of 4KB page

– 4KB is too large

• Attacker has to prepare the same 4KB page

• Difficult for key Exposure

• Attacker can not decide which VM has the same page• Attacker can not decide which VM has the same page, when many VMs run.– [CCS09] can decide VM which is shared by Cache.

• Thread Model is weak?

Kuniyasu Suzaki USENIX Security 2010 Rump Session

VM1 VM2 VM(n)

Real Physical Memory

Guest Physical Memory

Should we use memory peeking for defense on Multi-tenant Cloud Computing?• The memory peeking does not requires any penetration

on a target VM. It only measures the own memory access.

• It is used for – Detecting un-secure applications on VMs.– g pp

– Detecting illegal downloads.

• Merit: It does not care cryptographic communication.

– Detecting …

Kuniyasu Suzaki USENIX Security 2010 Rump Session

VM1 VM2 VM(n)

Real Physical Memory

Guest Physical Memory

Please tell me

• Strong Thread Model for memory deduplication (4KB)

• Practical Usage of memory peeking for Defense

• Contact:– E-mail: k.suzaki@aist.go.jp

– Twitter: @KuniSuzaki

– Slide: http://www.slideshare.net/suzaki

Kuniyasu Suzaki USENIX Security 2010 Rump Session

VM1 VM2 VM(n)

Real Physical Memory

Guest Physical Memory