Abstract
In virtualized environments, modern operating systems take advantage of memory deduplication feature to efficiently manage physical memory. However, the adoption of this technique has given rise to memory deduplication attacks that disclose memory pages used by a victim VM. All these attacks rely on the latency of the memory write operation to distinguish deduplicated pages from other pages. While performing such attacks in a cross-VM attack scenario is relatively straightforward, implementing a remote memory deduplication attack is not trivial due to the limitations in issuing memory write requests to the desired physical page on the remote machine. In this paper, we present a novel memory deduplication attack that exploits the memory page management mechanism in Kernel Samepage Merging (KSM). Modern implementation of KSM enforces the maximum number of shared pages for performance reasons. Therefore, if the number of pages with the same content exceeds the maximum page limit, they can refer to different physical pages despite having the same content. We exploit this property by intentionally mapping the maximum number of pages, causing two physical pages with the same content to exist in the physical memory. Unlike the previous work, our attack measures the latency for the memory unmap operation to figure out the victim VM’s memory page. This novel type of attack allows an attacker to infer other applications’ memory pages, such as the Nginx web server, without relying on the memory write operation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
phstee: Cache and memory manager improvements. Technical report, Microsoft (2022). https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/subsystem/cache-memory-management/improvements-in-windows-server
Arcangeli, A., Eidus, I., Wright, C.: Increasing memory density by using KSM. In: Proceedings of the Linux Symposium, pp. 19–28. Citeseer (2009)
VMware vsphere product documentation “memory sharing”. Technical report, VMware (2022). https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.resmgmt.doc/GUID-FEAC3A43-C57E-49A2-8303-B06DBC9054C5.html
Suzaki, K., Iijima, K., Yagi, T., Artho, C.: Memory deduplication as a threat to the guest OS. In: Proceedings of the Fourth European Workshop on System Security, EUROSEC 2011. Association for Computing Machinery (2011)
Lindemann, J., Fischer, M.: A memory-deduplication side-channel attack to detect applications in co-resident virtual machines. In: SAC 2018, pp. 183–192. Association for Computing Machinery (2018)
Kim, T., Kim, T., Shin, Y.: Breaking KASLR using memory deduplication in virtualized environments. Electronics 10(17) (2021)
Gruss, D., Bidner, D., Mangard, S.: Practical memory deduplication attacks in sandboxed Javascript. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 108–122. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_6
Schwarzl, M., Kraft, E., Lipp, M., Gruss, D.: Remote memory-deduplication attacks. In: NDSS 2022 (2022). Network and Distributed System Security Symposium
Bader, S.: Ubuntu Linux package, “Linux 4.4.0-96.119 source package in ubuntu”. Technical report, Canonical (2017). https://launchpad.net/ubuntu/+source/linux/4.4.0-96.119
Fang, C., et al.: REPTTACK: exploiting cloud schedulers to guide co-location attacks. In: NDSS 2021 (2021). Network and Distributed System Security Symposium
Rostedt, S.: lwn.net, “using the trace_event() macro (part 1)”. Technical report, Eklektix (2010). https://lwn.net/Articles/379903
Rostedt, S.: lwn.net, “using the trace_event() macro (part 3)”. Technical report, Eklektix (2010). https://lwn.net/Articles/383362
Acknowledgements
This research was supported by the National Research Foundation of Korea(NRF) grant funded by the Korea government (MSIT) (No. 2023R1A2C2006).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bae, S., Kim, T., Lee, W., Shin, Y. (2024). Exploiting Memory Page Management in KSM for Remote Memory Deduplication Attack. In: Kim, H., Youn, J. (eds) Information Security Applications. WISA 2023. Lecture Notes in Computer Science, vol 14402. Springer, Singapore. https://doi.org/10.1007/978-981-99-8024-6_19
Download citation
DOI: https://doi.org/10.1007/978-981-99-8024-6_19
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8023-9
Online ISBN: 978-981-99-8024-6
eBook Packages: Computer ScienceComputer Science (R0)