Paper and Code:
Test PoC: https://github.com/IAIK/drama
This work builds on Rowhammer. An attacker running an unprivileged process in a VM is able to log keystroke events for the entire system.
"In this attack, the spy and the victim can run on separate CPUs and do not share memory, i.e. , no access to shared libraries and no page deduplication between VMs. "
stress-m2 in parallel (i.e., the attacker’s core is under stress) made any measurements impossible. While no false positive detections occurred, only 9 events were correctly detected. Thus, our attack is susceptible to noise especially if the attacker only gets a fraction of CPU time on its core.
NUMA with non-interleaved memory combined with CPU pinning also described as valid mitigation. Problem is multi NUMA environments exist for server systems only for the most part. Two protection domains not enough for VM based OSs.
The memory stress solution is too expensive for battery and of questionable effectiveness.
Solution must be on host out of reach of malicious code in vm.
Conversation with Daniel Gruss (researcher):