CURRENT: bhyve and Kernel SamePage Mergin

O. Hartmann ohartman at zedat.fu-berlin.de
Thu Jun 9 17:00:20 UTC 2016 

Am Thu, 9 Jun 2016 09:18:40 +0100
David Chisnall <theraven at FreeBSD.org> schrieb:

> If this paper is the one that I think it is, then I was one of the reviewers.  Their
> attack is neat, but it depends quite a lot on being able to deterministically trigger
> deduplication.  Their proof-of-concept exploit was on Windows (and JavaScript attack
> was really fun) and I’m not convinced that it would work reliably on Linux or VMWare
> ESX, which both defer deduplication for as long as possible to avoid NUMA-related
> overheads.
> 
> We don’t currently have a FreeBSD implementation, but if someone wanted to provide one
> then a defence against this attack would be fairly simple: count the number of CoW
> faults that a process is receiving and if it reaches a certain threshold then remove
> all of its memory from the set of eligible pages.  The attack relies on being able to
> repeatedly trigger CoW faults and time whether they occur, with the same set of pages.
> At least some existing implementations will make this impossible as these pages will
> repeatedly be deduplicated and then duplicated and this is already a pathological case
> that most memory deduplication implementations need to handle (as well as being a
> security hole, it’s also a big performance killer).
> 
> Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this point it’s
> more of a checkbox item than a serious mitigation technique.  It adds a little bit of
> work for attackers, but there are so many attacks that can bypass ASLR even with strong
> entropy that it just increases the work factor slightly.  If you’re running code
> written in C, then you’re better off relying on Capscium compartmentalisation to limit
> what the attacker can do once they’ve compromised it.
> 
> David
> 
> > On 8 Jun 2016, at 16:01, O. Hartmann <ohartman at zedat.fu-berlin.de> wrote:
> > 
> > A couple of days I got as a responsible personell for a couple of systems a warning
> > about the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this
> > year's IEEE symposion there has been submitted a paper by Bosman et al., 2016,
> > describing an attack on KSM. This technique, also referred to as memory/page
> > deduplication, seems to be vulnerable by design under certain circumstances. I guess
> > the experts of the readers here do already know, but I consider myself a non-expert
> > and therefore, I'd like to ask about the status of that kind of development in
> > FreeBSD. I read about a project of last year's Google Summer of Code 2015 targetting
> > KSM on FreeBSD.
> > 
> > In Linux, this deduplication techniques is implemented since kernel 2.6.38 and Windows
> > Kernel uses this techniques since Windows 8.1 and sibblings (also Windows Server). We
> > were strongly advised to disable those "features" in Windows clients, servers and
> > Linux servers, if used.
> > 
> > Other papers describe successful attacks on memory contents and ASLR by misusing KSM.
> > On Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
> > planned/used/already implemented?)? 
> > 
> > If you are interested I could provide links or PDFs of the papers I already gathered
> > about that subject (it is not much, simply google for "KSM FReeBSD" or KSM
> > deduplication ASLR).
> > 
> > Thanks in advance,
> > 
> > oh  
> 

Hello David,

sorry for the lack of references. 

Bosman et al., 2016: doi: 10.1109/SP.2016.63
(http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf), this paper has been subject
of a warning given to institutions.

An older one, but also interesting, is

Xiao et al., 2013: doi: 10.1109/DSN.2013.6575349
(http://www.cs.wm.edu/~hnw/paper/memdedup.pdf) 

and this one 

Barresi et al., 2015 (https://www.usenix.org/node/191961).

The first paper is of (my) concern, since it triggered some interests and couriosities of
mine.

Regards,

Oliver Hartmann

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20160609/d84c1abf/attachment.sig>

More information about the freebsd-current mailing list