Defcon talk: Hacking Inter-VM Instance data

inter-vmdataexfiltration

 

The talk on pdf form at Defcon media servers:

Inter-VM data exfiltration – The art of cache timing covert channel on x86 multi-core   By Etienne Martineau a kernel developer.

 

 

So how can you steal data from one instance while being on another in the same hypervisor machine – you see the L3Cache  that connects all VM instances?

vmserver-vmclientl3cache

Etienne from here outlines how he tested  – many times unsuccessfully the attempted exfiltration had to be ascertained by finding the various cpu frequencies within a hyper-threaded environment (which emits radio frequencies).

radiofrequencyreverseengineering

Etienne ingeniously reverse engineered another CPU – multi threading instance radio frequency.

The multi-threading technology with L3Cache allows this to happen:

vm1-vm2-L3cache

 

After some investigation and testing he came up with option 3:

vm-option3

 

there is much more in his pdf file, let’s now skip to mitigation:

Disable page-deduplication(KSM)/per-vm policy

  • No inter-VM shared read only pages
  • Flush ‘clflush’ and reload won’t work
  • No OS/ application fingerprinting(ded-duplication page-fault)
  • Higher memory cost

X86 ‘clflush’ instruction: privilege?

— Microcode>

Co-location policy(per-core/per-socket/per-box)

Detection

hardware counter

Inter-VM scheduling “abnormality”

TSC related “abnormality”

 

 

This is  just an example of what can happen when somebody reverse engineers and is tinkering (what used to be called hacking). So if Etienne can do it make no mistake others are doing it.  If you are on a multi-use VM hypervisor machine the chance may be low – but it will increase with time. So my recommendation would be to fix and mitigate ahead of some kind of stealthy attack.

1 thought on “Defcon talk: Hacking Inter-VM Instance data”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.