Latest Posts



Translate

Total Pageviews

Sunday, 19 October 2014

Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing (2080735)

Purpose

This article acknowledges the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMware’s precautionary measure of no longer enabling TPS in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.
 
Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment. 

Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default.

Below is further information on the changes to TPS and the new ways of managing TPS.

Details

Although VMware believes the risk of TPS being used to gather sensitive information is low, we strive to ensure that products ship with default settings that are as secure as possible. For this reason inter-Virtual Machine TPS will no longer be enabled by default starting with the following releases:
  • ESXi 5.5 Update release - Q1 2015
  • ESXi 5.1 Update release - Q4 2014
  • ESXi 5.0 Update release - Q1 2015
  • The next major version of ESXi
Administrators may revert to the previous behavior if they so wish. 
Prior to the above ESXi Update releases, VMware will release ESXi patches that introduce additional TPS management capabilities. These ESXi patches will not change the existing settings for inter-VM TPS. The planned ESXi patch releases are:
Frequently Asked Questions
Where can I find more information on Transparent Page Sharing?
Why is VMware disallowing inter-VM TPS in the ESXi Update releases?
Although VMware believes the risk of TPS being used to gather sensitive information is low, we strive to ensure that products ship with default settings that are as secure as possible.  
Which ESXi releases will no longer allow inter-VM TPS by default?
The following planned ESXi Update releases no longer allow TPS by default:
  • ESXi 5.5 Update release – Q1 2015
  • ESXi 5.1 Update release – Q4 2014
  • ESXi 5.0 Update release  - Q1 2015
  • The next major version of ESXi
Which ESXi patches will introduce the additional TPS management capabilities?
The following planned ESXi patches introduce the additional TPS management capabilities:
Where are the additional TPS management capabilities documented?
What will happen if TPS at the host level is switched off?
Disabling inter-Virtual Machine TPS may impact performance in environments that rely heavily on memory over-commitment. For more information on memory management techniques, see the ESXi and Virtual Machines section of the Performance Best Practices for VMware vSphere® 5.1 Guide
Further, certain workloads such as VMware Horizon may achieve higher virtual machine consolidation ratios on ESXi hosts when TPS is enabled. For more information on memory considerations in Horizon environments, see the RAM Sizing Impact on Performance section of theView Architecture Planning Guide.
You should review the level of over-commitment before disabling inter-Virtual Machine TPS. The amount of inter-Virtual Machine TPS can be determined with the resxtop and esxtop command-line utilities. For more information, see the VMware vSphere 5.5 Documentation
How can I prepare for the ESXi Update releases that no longer allow inter-Virtual Machine TPS by default?
VMware recommends monitoring your deployment's use of TPS before making any changes to the settings. For more information, seeVMware ESXi 5.5, Patch ESXi550-201410401-BG: Updates esx-base (2087359).
How can inter-VM TPS be re-enabled after deploying the ESXi Update releases?
VMware Knowledge Base article Additional Transparent Page Sharing management capabilities in ESXi 5.5 patch October 16, 2014 and ESXi 5.1 and 5.0 patches in Q4, 2014 (2091682) documents how inter-Virtual Machine TPS can be re-enabled for all Virtual Machines and for groups of Virtual Machines.
What is the risk for information disclosure due to Transparent Page Sharing?
Currently, VMware believes that the risk of information disclosure described in the recent academic papers leveraging TPS between Virtual Machines is very small in real world conditions. The conditions under which the researchers were able to extract AES encryption keys are very specific and are unlikely to be present in a real world deployment.
What did the researchers find?
Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled. This technique works only in a highly controlled environment using a non-standard configuration.
Is inter-process side channel leakage a new area of research?
Side channel attacks that exploit information leakage from resources shared between processes running on a common processor is an area of research that has been explored for several years. Although largely theoretical, techniques are continuously improving as researchers build on each other’s work. Although this is not a problem unique to VMware technology, VMware does work with the research community to ensure that the issues are fully understood and to implement mitigation into our products when appropriate
What is the previously documented way of disabling Transparent Page Sharing that was present in this KB before?
VMware strongly suggests using the new, additional TPS management capabilities to disable TPS. The earlier documented procedure to disable inter-Virtual Machine TPS on ESX\ESXi hosts is as follows:
  1. Log in to ESX\ESXi or vCenter Server using the vSphere Client. 
  2. If connected to vCenter Server, select the relevant ESX\ESXi host. 
  3. In the Configuration tab, click Advanced Settings under the software section. 
  4. In the Advanced Settings window, click Mem
  5. Look for Mem.ShareScanGHz and set the value to 0. 
  6. Click OK
  7. Perform one of the following to make the TPS changes effective immediately:
    • Migrate all the virtual machines to other host in cluster and back to original host.
    • Shutdown and power-on the virtual machines.
How can I disable Transparent Page Sharing on ESX\ESXi 4.x?
Use the To disable inter-Virtual Machine TPS on ESX\ESXi hosts section mentioned above.
What do I need to do if I am using the disable inter-Virtual Machine TPS on ESX\ESXi hosts above?
Prior to enabling salting (for more information, see Additional Transparent Page Sharing management capabilities in ESXi 5.5 patch October 16, 2014 and ESXi 5.1 and 5.0 patches in Q4, 2014 (2091682)), the value of Mem.ShareScanGHz must be set to its default value of 4.  
Source KB:-
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2080735&src=vmw_so_vex_ragga_1012