<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
Maybe I should be posting to the kvm mailing list, but I think
people here should know a thing or two about it.<br>
<br>
I just read the following research paper and although the attack was
done on VMWare; from what I read about it, it could be possible with
KSM on KVM also. If you really need tight security it looks like it
would be better to disable KSM. <br>
<br>
But don't take my word for it as IANAC (I Am Not A Cryptographer). <br>
<blockquote><a class="moz-txt-link-freetext" href="http://soylentnews.org/article.pl?sid=14/06/12/1349234&amp;from=rss">http://soylentnews.org/article.pl?sid=14/06/12/1349234&amp;from=rss</a><br>
<div class="generaltitle">
<div class="title">
<h3> <a
href="http://soylentnews.org/article.pl?sid=14/06/12/1349234">Practical
Cross-VM AES Full Key Recovery Attack</a> </h3>
</div>
</div>
<div class="body"> posted by <a
href="http://soylentnews.org/%7Ejanrinok/"> janrinok</a> on
Thursday June 12, @02:53PM <br>
<strong></strong>
<div class="intro">
<p class="byline"> <a href="http://soylentnews.org/%7Edbot/">dbot</a>
writes:</p>
<p>Researchers from Worcester Polytechnic Institute
(Worcester, MA), have published a paper illustrating a <a
href="http://eprint.iacr.org/2014/435.pdf">practical full
Advanced Encryption Standard key recovery from AES
operations preformed in one virtual machine, by another VM</a>
[<b>PDF</b>] running on the same hardware at the same time.</p>
<p>The attack specifically requires memory de-duplication to
be enabled, and they target VMWare's VM software. Combining
various attacks on memory de-duplication, and existing side
channel attacks:</p>
<blockquote>
<div>
<p>In summary, this works:</p>
<ul>
<li>shows for the first time that de-duplication enables
fine grain cross-VM attacks;</li>
<li>introduces a new Flush+Reload based attack that does
not require interrupting the victim after each
encryption round;</li>
<li>presents the first practical cross-VM attack on AES;
the attack is generic and can be adapted to any
table-based block ciphers.</li>
</ul>
</div>
</blockquote>
<p>They target OpenSSL 1.0.1.</p>
<p>It will be interesting to see if the suggested
countermeasure, flushing the T table cache after each
operation (effective against other Flush+Reload attacks), is
added to LibreSSL. Will it be left out, in the name of
performance - or will they move to a different
implementation of AES (not T table-based)?</p>
</div>
</div>
</blockquote>
Kind regards,<br>
<br>
Jorick Astrego<br>
Netbulae<br>
</body>
</html>