Page MenuHomePhabricator

Cross-VM cache attacks countermeasures
Open, NormalPublic


Makes some covert channel attacks more difficult. Eliminates cross-VM cache attacks on crypto.

Quoted verbatim:

To attack such configurations, successful and practical
attacks must comply with the following requirements:

Work across processors:
As these configurations
are now ubiquitous, an attack that does not work
across processors is severely limited and can be triv-
ially mitigated by exclusively assigning processors
to tenants or via the scheduler.

Work without any shared memory:
With memory
deduplication disabled, shared memory is not avail-
able between VMs. All attacks that require shared
memory are thus completely mitigated in cross-VM
settings with such configurations.
In the last years, the most prominent and well-studied
example of shared-hardware exploits is cache attacks.
They use the processor-integrated cache and were shown
to be effective in a multitude of settings, such as cross-
VM key-recovery attacks [9, 12, 20, 30], including at-
tacks across cores [5, 14, 16, 28]

However, due to the cache being local to the processor, these attacks do not
work across processors and thus violate requirement 1.
Note that in a recent concurrent work, Irazoqui et al.
[11] presented a cross-CPU cache attack which exploits
cache coherency mechanisms in multi-processor sys-
tems. However, their approach requires shared mem-
ory and thus violates requirement 2. The whole class
of cache attacks is therefore not applicable in multi-
processor systems without any shared memory."

Summary: Pinning vcpus to physical cpus makes some covert channel attacks more difficult. Eliminates cross-VM cache attacks on crypto. Memory deduplication is (shared memory) is opt in (on Linux at least) and hence this doesn't apply to a default KVM configuration. NB recent versions of Windows starting with 8 enable memory deduplication by default. Worth warning VBox users about.