This is a multi-part message in MIME format. --------------040006070006020209070007 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, Maybe I should be posting to the kvm mailing list, but I think people here should know a thing or two about it. I just read the following research paper and although the attack was done on VMWare; from what I read about it, it could be possible with KSM on KVM also. If you really need tight security it looks like it would be better to disable KSM. But don't take my word for it as IANAC (I Am Not A Cryptographer). http://soylentnews.org/article.pl?sid=14/06/12/1349234&from=rss Practical Cross-VM AES Full Key Recovery Attack <http://soylentnews.org/article.pl?sid=14/06/12/1349234> posted by janrinok <http://soylentnews.org/%7Ejanrinok/> on Thursday June 12, @02:53PM ** dbot <http://soylentnews.org/%7Edbot/> writes: Researchers from Worcester Polytechnic Institute (Worcester, MA), have published a paper illustrating a practical full Advanced Encryption Standard key recovery from AES operations preformed in one virtual machine, by another VM <http://eprint.iacr.org/2014/435.pdf> [*PDF*] running on the same hardware at the same time. The attack specifically requires memory de-duplication to be enabled, and they target VMWare's VM software. Combining various attacks on memory de-duplication, and existing side channel attacks: In summary, this works: * shows for the first time that de-duplication enables fine grain cross-VM attacks; * introduces a new Flush+Reload based attack that does not require interrupting the victim after each encryption round; * presents the first practical cross-VM attack on AES; the attack is generic and can be adapted to any table-based block ciphers. They target OpenSSL 1.0.1. It will be interesting to see if the suggested countermeasure, flushing the T table cache after each operation (effective against other Flush+Reload attacks), is added to LibreSSL. Will it be left out, in the name of performance - or will they move to a different implementation of AES (not T table-based)? Kind regards, Jorick Astrego Netbulae --------------040006070006020209070007 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body text="#000000" bgcolor="#FFFFFF"> Hi,<br> <br> Maybe I should be posting to the kvm mailing list, but I think people here should know a thing or two about it.<br> <br> I just read the following research paper and although the attack was done on VMWare; from what I read about it, it could be possible with KSM on KVM also. If you really need tight security it looks like it would be better to disable KSM. <br> <br> But don't take my word for it as IANAC (I Am Not A Cryptographer). <br> <blockquote><a class="moz-txt-link-freetext" href="http://soylentnews.org/article.pl?sid=14/06/12/1349234&from=rss">http://soylentnews.org/article.pl?sid=14/06/12/1349234&from=rss</a><br> <div class="generaltitle"> <div class="title"> <h3> <a href="http://soylentnews.org/article.pl?sid=14/06/12/1349234">Practical Cross-VM AES Full Key Recovery Attack</a> </h3> </div> </div> <div class="body"> posted by <a href="http://soylentnews.org/%7Ejanrinok/"> janrinok</a> on Thursday June 12, @02:53PM <br> <strong></strong> <div class="intro"> <p class="byline"> <a href="http://soylentnews.org/%7Edbot/">dbot</a> writes:</p> <p>Researchers from Worcester Polytechnic Institute (Worcester, MA), have published a paper illustrating a <a href="http://eprint.iacr.org/2014/435.pdf">practical full Advanced Encryption Standard key recovery from AES operations preformed in one virtual machine, by another VM</a> [<b>PDF</b>] running on the same hardware at the same time.</p> <p>The attack specifically requires memory de-duplication to be enabled, and they target VMWare's VM software. Combining various attacks on memory de-duplication, and existing side channel attacks:</p> <blockquote> <div> <p>In summary, this works:</p> <ul> <li>shows for the first time that de-duplication enables fine grain cross-VM attacks;</li> <li>introduces a new Flush+Reload based attack that does not require interrupting the victim after each encryption round;</li> <li>presents the first practical cross-VM attack on AES; the attack is generic and can be adapted to any table-based block ciphers.</li> </ul> </div> </blockquote> <p>They target OpenSSL 1.0.1.</p> <p>It will be interesting to see if the suggested countermeasure, flushing the T table cache after each operation (effective against other Flush+Reload attacks), is added to LibreSSL. Will it be left out, in the name of performance - or will they move to a different implementation of AES (not T table-based)?</p> </div> </div> </blockquote> Kind regards,<br> <br> Jorick Astrego<br> Netbulae<br> </body> </html> --------------040006070006020209070007--