CoWLight: Hardware Assisted Copy-on-Write Fault Handling for Secure Deduplication

Memory deduplication in virtualized systems is shown to be a very useful memory optimization as it is simple to use and provides memory efficient cloud hosting. However, memory deduplication based side channel attacks---information disclosure attacks and covert channel construction across virtual machines---can be mounted using the timing information available because of Copy-on-Write (CoW) fault handling semantics. The CoW semantic has been a necessary-evil with regard to deduplication as it plays a vital role in supporting guest OS transparent deduplication but enables a timing channel for exploitation. Thus to decimate the huge access time difference between a normal write and a write to a shared page, we propose CoWLight, a combination of hardware and software techniques for handling the CoW page faults in an efficient manner. In this work, we propose to address the security issues at its genesis as opposed to mitigate the side-effects by offloading the CoW fault handling to the hardware itself. Further, we show that CoWLight can reduce the access latency differences significantly (by up to 30x) which is within the noise thresholds in a moderately busy system.

[1]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[2]  Frank Bellosa,et al.  XLH: More Effective Memory Deduplication Scanners Through Cross-layer Hints , 2013, USENIX Annual Technical Conference.

[3]  Herbert Bos,et al.  Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[4]  Herbert Bos,et al.  Secure Page Fusion with VUsion: https://www.vusec.net/projects/VUsion , 2017, SOSP.

[5]  Prashant J. Shenoy,et al.  An Empirical Study of Memory Sharing in Virtual Machines , 2012, USENIX Annual Technical Conference.

[6]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[7]  Gorka Irazoqui Apecechea,et al.  Know Thy Neighbor: Crypto Library Detection in Cloud , 2015, Proc. Priv. Enhancing Technol..

[8]  Pangfeng Liu,et al.  An Empirical Study on Memory Sharing of Virtual Machines for Server Consolidation , 2011, 2011 IEEE Ninth International Symposium on Parallel and Distributed Processing with Applications.

[9]  Hai Huang,et al.  A covert channel construction in a virtualized environment , 2012, CCS '12.

[10]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[11]  Purushottam Kulkarni,et al.  Share-o-meter: An empirical analysis of KSM based memory sharing in virtualized systems , 2013, 20th Annual International Conference on High Performance Computing.

[12]  Peter Desnoyers,et al.  Memory buddies: exploiting page sharing for smart colocation in virtualized data centers , 2009, VEE '09.

[13]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[14]  Steven Hand,et al.  Satori: Enlightened Page Sharing , 2009, USENIX Annual Technical Conference.

[15]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[16]  Purushottam Kulkarni,et al.  Catalyst: GPU-assisted rapid memory deduplication in virtualization environments , 2017, VEE.

[17]  Hai Huang,et al.  Security implications of memory deduplication in a virtualized environment , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).