Usenix security10-rump session-suzaki
Upcoming SlideShare
Loading in...5
×
 

Usenix security10-rump session-suzaki

on

  • 931 views

 

Statistics

Views

Total Views
931
Views on SlideShare
931
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Usenix security10-rump session-suzaki Usenix security10-rump session-suzaki Presentation Transcript

  • Security on Memory Deduplication (of IaaS cloud Computing) Kuniyasu Suzaki, T hiki Y i K K i S ki Toshiki Yagi, Kengo Iiji Iijima, N Nguyen Anh Quynh, C ill A th A hQ h Cyrille Artho Research Center of Information Security National Institute of Advanced Industrial Science and Technology
  • Memory Deduplication • Technique to share same content pages. • Reduce consumption of physical memory. – It is very effective, when same guest OS runs on several VMs. • On Virtual Machine Monitor – Disco[OSDI97] has Transparent Page Sharing – VMWare ESX has Content-Based Page Sharing [SOSP02] – Xen has Satori[USENIX09] and Differential Engine[OSDI08] • On Kernel Guest Physical Memory – Linux has KSM (Kernel Samepage Merging) VM1 VM2 VM(n) from 2.6.32 [LinuxSymp09] • Memory of Process(es) are deduplicated • KVM uses this mechanism Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory
  • Memory Deduplication strengthens OS • Encourage to translate from dynamic-link to self-contained binary, because memory redundancy is shrunk by deduplication. – It mitigates some security problems caused by logical sharing: Search Path Replacement Attack, GOT (Global Offset Table) overwrite attack, Dependency Hell, Etc. p y • “Moving from Logical Sharing of Guest OS to Physical Sharing of Deduplication on Virtual Machine” [HotSec10] [USENIX Security10 Poster] • In this rump session, I want to talk “Memory Deduplication has security problems”. Kuniyasu Suzaki USENIX Security 2010 Rump Session
  • Memory Peeking between VMs • When a write access is issued to a deduplicated page on a VM, a physical copy of the page is created. (CopyOnWrite) – It causes time difference between deduplicated and non- deduplicated page. • Attacker VM detects existence of a certain page on neighbor VMs. • We developed methods of memory peeking on a VM. • It is a kind of Cross VM Side Channel Attack [CCS09] – [CCS09] used CPU Cache which is shared by VMs Kuniyasu Suzaki USENIX Security 2010 Rump Session
  • Problem for Attackers & us :-) • Exact match of 4KB page – 4KB is too large • Attacker has to prepare the same 4KB page • Difficult for key Exposure • Attacker can not decide which VM has the same page, page when many VMs run. – [CCS09] can decide VM which is shared by Cache. Guest Physical Memory VM1 VM2 VM(n) • Threat Model is weak? Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory
  • Should we use memory peeking for defense on Multi-tenant Cloud Computing? • The memory peeking does not requires any penetration on a target VM. It only measures the own memory access. • It is used for – Detecting un-secure applications on VMs. g pp – Detecting illegal downloads. • Merit: It does not care cryptographic communication. – Detecting … Guest Physical Memory VM1 VM2 VM(n) Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory
  • Please tell me • Strong Threat Model for memory deduplication (4KB) • Practical Usage of memory peeking for Defense • Contact: – E-mail: k.suzaki@aist.go.jp – Twitter: @KuniSuzaki – Slide: http://www.slideshare.net/suzaki Guest Physical Memory VM1 VM2 VM(n) Kuniyasu Suzaki USENIX Security 2010 Rump Session Real Physical Memory