usenix security10-rump session-suzaki
DESCRIPTION
Slide used at USENIX Security 2010 RUMP Session.Title is ""TRANSCRIPT
![Page 1: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/1.jpg)
Security on Memory Deduplication (of IaaS cloud Computing)
K i S ki T hiki Y i K Iiji N A h Q h C ill A thKuniyasu Suzaki, Toshiki Yagi, Kengo Iijima, Nguyen Anh Quynh, Cyrille Artho
Research Center of Information Security
National Institute of Advanced Industrial Science and Technology
![Page 2: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/2.jpg)
Memory Deduplication• Technique to share same content pages.
• Reduce consumption of physical memory.– It is very effective, when same guest OS runs on several VMs.
• On Virtual Machine Monitor– Disco[OSDI97] has Transparent Page Sharing
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
– VMWare ESX has Content-Based Page Sharing [SOSP02]
– Xen has Satori[USENIX09] and Differential Engine[OSDI08]• On Kernel
– Linux has KSM (Kernel Samepage Merging) from 2.6.32 [LinuxSymp09]
• Memory of Process(es) are deduplicated
• KVM uses this mechanism
Kuniyasu Suzaki USENIX Security 2010 Rump Session
![Page 3: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/3.jpg)
Memory Deduplication strengthens OS
• Encourage to translate from dynamic-link to self-contained binary,because memory redundancy is shrunk by deduplication.– It mitigates some security problems caused by logical sharing:
Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell, Etc.p y
• “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine” [HotSec10] [USENIX Security10 Poster]
• In this rump session, I want to talk“Memory Deduplication has security problems”.
Kuniyasu Suzaki USENIX Security 2010 Rump Session
![Page 4: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/4.jpg)
Memory Peeking between VMs
• When a write access is issued to a deduplicated page on a VM, a physical copy of the page is created. (CopyOnWrite)– It causes time difference between deduplicated and non-
deduplicated page.
• Attacker VM detects existence of a certain page on neighbor VMs.
• We developed methods of memory peeking on a VM.
• It is a kind of Cross VM Side Channel Attack [CCS09]– [CCS09] used CPU Cache which is shared by VMs
Kuniyasu Suzaki USENIX Security 2010 Rump Session
![Page 5: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/5.jpg)
Problem for Attackers & us :-)• Exact match of 4KB page
– 4KB is too large
• Attacker has to prepare the same 4KB page
• Difficult for key Exposure
• Attacker can not decide which VM has the same page• Attacker can not decide which VM has the same page, when many VMs run.– [CCS09] can decide VM which is shared by Cache.
• Thread Model is weak?
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
![Page 6: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/6.jpg)
Should we use memory peeking for defense on Multi-tenant Cloud Computing?• The memory peeking does not requires any penetration
on a target VM. It only measures the own memory access.
• It is used for – Detecting un-secure applications on VMs.– g pp
– Detecting illegal downloads.
• Merit: It does not care cryptographic communication.
– Detecting …
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory
![Page 7: Usenix security10-rump session-suzaki](https://reader036.vdocuments.pub/reader036/viewer/2022073017/548b1d38b47959d86b8b4733/html5/thumbnails/7.jpg)
Please tell me
• Strong Thread Model for memory deduplication (4KB)
• Practical Usage of memory peeking for Defense
• Contact:– E-mail: [email protected]
– Twitter: @KuniSuzaki
– Slide: http://www.slideshare.net/suzaki
Kuniyasu Suzaki USENIX Security 2010 Rump Session
VM1 VM2 VM(n)
Real Physical Memory
Guest Physical Memory