[ovirt-users] KSM and cross-vm attack

Jorick Astrego j.astrego at netbulae.eu
Thu Jun 12 21:59:52 UTC 2014


Hi,

Maybe I should be posting to the kvm mailing list, but I think people 
here should know a thing or two about it.

I just read the following research paper and although the attack was 
done on VMWare; from what I read about it, it could be possible with KSM 
on KVM also. If you really need tight security it looks like it would be 
better to disable KSM.

But don't take my word for it as IANAC (I Am Not A Cryptographer).

    http://soylentnews.org/article.pl?sid=14/06/12/1349234&from=rss


          Practical Cross-VM AES Full Key Recovery Attack
          <http://soylentnews.org/article.pl?sid=14/06/12/1349234>

    posted by janrinok <http://soylentnews.org/%7Ejanrinok/> on Thursday
    June 12, @02:53PM
    **

    dbot <http://soylentnews.org/%7Edbot/> writes:

    Researchers from Worcester Polytechnic Institute (Worcester, MA),
    have published a paper illustrating a practical full Advanced
    Encryption Standard key recovery from AES operations preformed in
    one virtual machine, by another VM
    <http://eprint.iacr.org/2014/435.pdf> [*PDF*] running on the same
    hardware at the same time.

    The attack specifically requires memory de-duplication to be
    enabled, and they target VMWare's VM software. Combining various
    attacks on memory de-duplication, and existing side channel attacks:

        In summary, this works:

          * shows for the first time that de-duplication enables fine
            grain cross-VM attacks;
          * introduces a new Flush+Reload based attack that does not
            require interrupting the victim after each encryption round;
          * presents the first practical cross-VM attack on AES; the
            attack is generic and can be adapted to any table-based
            block ciphers.

    They target OpenSSL 1.0.1.

    It will be interesting to see if the suggested countermeasure,
    flushing the T table cache after each operation (effective against
    other Flush+Reload attacks), is added to LibreSSL. Will it be left
    out, in the name of performance - or will they move to a different
    implementation of AES (not T table-based)?

Kind regards,

Jorick Astrego
Netbulae
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140612/eac8a777/attachment-0001.html>


More information about the Users mailing list