Page MenuHomePhabricator

Cross-VM cache attacks countermeasures
Open, NormalPublic


Makes some covert channel attacks more difficult. Eliminates cross-VM cache attacks on crypto.

Quoted verbatim:

To attack such configurations, successful and practical
attacks must comply with the following requirements:

  1. Work across processors: As these configurations are now ubiquitous, an attack that does not work across processors is severely limited and can be triv- ially mitigated by exclusively assigning processors to tenants or via the scheduler.

    2. Work without any shared memory: With memory deduplication disabled, shared memory is not avail- able between VMs. All attacks that require shared memory are thus completely mitigated in cross-VM settings with such configurations. In the last years, the most prominent and well-studied example of shared-hardware exploits is cache attacks. They use the processor-integrated cache and were shown to be effective in a multitude of settings, such as cross- VM key-recovery attacks [9, 12, 20, 30], including at- tacks across cores [5, 14, 16, 28]

However, due to the cache being local to the processor, these attacks do not
work across processors and thus violate requirement 1.
Note that in a recent concurrent work, Irazoqui et al.
[11] presented a cross-CPU cache attack which exploits
cache coherency mechanisms in multi-processor sys-
tems. However, their approach requires shared mem-
ory and thus violates requirement 2. The whole class
of cache attacks is therefore not applicable in multi-
processor systems without any shared memory."

Summary: Pinning vcpus to physical cpus makes some covert channel attacks more difficult. Eliminates cross-VM cache attacks on crypto. Memory deduplication is (shared memory) is opt in (on Linux at least) and hence this doesn't apply to a default KVM configuration. NB recent versions of Windows starting with 8 enable memory deduplication by default. Worth warning VBox users about.