research-article

Secure Page Fusion with VUsion: https://www.vusec.net/projects/VUsion

Authors:

Marco Oliverio,

Cristiano GiuffridaAuthors Info & Claims

SOSP '17: Proceedings of the 26th Symposium on Operating Systems Principles

Pages 531 - 545

https://doi.org/10.1145/3132747.3132781

Published: 14 October 2017 Publication History

Abstract

To reduce memory pressure, modern operating systems and hypervisors such as Linux/KVM deploy page-level memory fusion to merge physical memory pages with the same content (i.e., page fusion). A write to a fused memory page triggers a copy-on-write event that unmerges the page to preserve correct semantics. While page fusion is crucial in saving memory in production, recent work shows significant security weaknesses in its current implementations. Attackers can abuse timing side channels on the unmerge operation to leak sensitive data such as randomized pointers. Additionally, they can exploit the predictability of the merge operation to massage physical memory for reliable Rowhammer attacks. In this paper, we present VUsion, a secure page fusion system. VUsion can stop all the existing and even new classes of attack, where attackers leak information by side-channeling the merge operation or massage physical memory via predictable memory reuse patterns. To mitigate information disclosure attacks, we ensure attackers can no longer distinguish between fused and non-fused pages. To mitigate memory massaging attacks, we ensure fused pages are always allocated from a high-entropy pool. Despite its secure design, our comprehensive evaluation shows that VUsion retains most of the memory saving benefits of traditional memory fusion with negligible performance overhead while maintaining compatibility with other advanced memory management features.

Supplementary Material

MP4 File (page_fusion.mp4)

Download
2059.14 MB

References

[1]

2015. Idle Page Tracking. (2015). Retrieved 25.8.2017 from https://www.kernel.org/doc/Documentation/vm/idle_page_tracking.txt

[2]

2016. (March 2016). Retrieved 25.8.2017 from http//:www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3272

[3]

2016. STREAM: Sustainable Memory Bandwidth in High Performance Computers. (2016). Retrieved 25.8.2017 from https://www.cs.virginia.edu/stream/

[4]

2017. memtier benchmark: A High-Throughput Benchmarking Tool for Redis and Memcached. (2017). Retrieved 25.8.2017 from https://github.com/RedisLabs/memtier benchmark

[5]

2017. WRK - a HTTP Benchmarking Tool. (2017). Retrieved 25.8.2017 from https://github.com/wg/wrk

[6]

Advanced Micro Device. 2013. AMD64 Architecture Programmer's Manual Volume 2: System Programming.

[7]

José Bacelar Almeida, Manuel Barbosa, Gilles Barthe, François Dupressoir, and Michael Emmi. 2016. Verifying Constant-Time Implementations (SEC'16).

[8]

Andrea Arcangeli. 2010. Transparent Hugepage Support. KVM Forum (2010).

[9]

Andrea Arcangeli, Izik Eidus, and Chris Wright. 2009. Increasing Memory Density by Using KSM (OLS'09).

[10]

Sean Barker, Timothy Wood, Prashant Shenoy, and Ramesh Sitaraman. 2012. An Empirical Study of Memory Sharing in Virtual Machines (USENIX ATC'12).

Digital Library

[11]

Antonio Barresi, Kaveh Razavi, Mathias Payer, and Thomas R. Gross. 2015. CAIN: Silently Breaking ASLR in the Cloud (WOOT'15).

Digital Library

[12]

Ravi Bhargava, Benjamin Serebrin, Francesco Spadini, and Srilatha Manne. 2008. Accelerating Two-dimensional Page Walks for Virtualized Systems (ASPLOS XIII).

Digital Library

[13]

Erik Bosman, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2016. Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector (SP'16).

[14]

Sergey Bratus, Michael E. Locasto, Meredith L. Patterson, Len Sassaman, and Anna Shubina. 2011. Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation (;login:).

[15]

Yu Cai, Saugata Ghose, Yixin Luo, Ken Mai, Onur Mutlu, and Erich F. Haratsch. 2017. Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques (HPCA'17).

[16]

Chao-Rui Chang, Jan-Jan Wu, and Pangfeng Liu. 2011. An Empirical Study on Memory Sharing of Virtual Machines for Server Consolidation (ISPA'11).

Digital Library

[17]

Google. 2017. Android Low RAM Configuration. (2017). Retrieved 25.8.2017 from https://goo.gl/Rz4B6I

[18]

Abel Gordon, Nadav Amit, Nadav Har'El, Muli Ben-Yehuda, Alex Landau, Assaf Schuster, and Dan Tsafrir. 2012. ELI: Bare-metal Performance for I/O Virtualization (ASPLOS XVII).

Digital Library

[19]

Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, and Cristiano Giuffrida. 2017. ASLR on the Line: Practical Cache Attacks on the MMU (NDSS'17).

[20]

Daniel Gruss, Cementine Maurice, Anders Fogh, Moritz Lipp, and Stefan Mangard. 2016. Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR (CCS'16).

Digital Library

[21]

Fan Guo, Yongkun Li, Yinlong Xu, Song Jiang, and John C. S. Lui. 2017. SmartMD: A High Performance Deduplication Engine with Mixed Pages (ATC'17).

Digital Library

[22]

Michael R. Hines, Umesh Deshpande, and Kartik Gopalan. 2009. Post-copy Live Migration of Virtual Machines (OSR'09).

Digital Library

[23]

Intel. 2017. Intel Clear Containers: Building a Virtualization Continuum. (2017). White paper.

[24]

Intel Corporation. 2016. Intel 64 and IA-32 Architectures Software Developer's Manual.

[25]

Gorka Irazoqui, Mehmet Sinan IncI, Thomas Eisenbarth, and Berk Sunar. 2015. Know Thy Neighbor: Crypto Library Detection in Cloud (PETS'15).

[26]

Samira Khan, Donghyuk Lee, and Onur Mutlu. 2016. PARBOR: An Efficient System-Level Technique to Detect Data-Dependent Failures in DRAM (DSN'16).

[27]

Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors (ISCA'14).

Digital Library

[28]

David Kohlbrenner and Hovav Shacham. 2016. Trusted Browsers for Uncertain Times (SEC'16).

[29]

Youngjin Kwon, Hangchen Yu, Simon Peter, Christopher J. Rossbach, and Emmett Witchel. 2016. Coordinated and Efficient Huge Page Management with Ingens (OSDI'16).

Digital Library

[30]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee. 2015. Last-Level Cache Side-Channel Attacks are Practical (SP'15).

Digital Library

[31]

Robert Martin, John Demme, and Simha Sethumadhavan. 2012. Time-Warp: Rethinking Timekeeping and Performance Monitoring Mechanisms to Mitigate Side-channel Attacks (ISCA'12).

Digital Library

[32]

Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, and Angelos D. Keromytis. 2015. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications (CCS'15).

Digital Library

[33]

Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES (CT-RSA'06).

Digital Library

[34]

R. Owens and Weichao Wang. 2011. Non-Interactive OS Fingerprinting Through Memory De-Duplication Technique in Virtual Machines (IPCCC'11).

Digital Library

[35]

PaX Team. 2003. Address Space Layout Randomization. Phrack, March 2003.

[36]

Mathias Payer. 2016. HexPADS: A Platform to Detect "Stealth" Attacks (ESSoS'16).

Digital Library

[37]

Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, and Herbert Bos. 2016. Flip Feng Shui: Hammering a Needle in the Software Stack (SEC'16).

[38]

Mark Seaborn. 2015. Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges (BHUSA'15).

[39]

Kuniyasu Suzaki, Kengo Iijima, Toshiki Yagi, and Cyrille Artho. 2011. Memory Deduplication As a Threat to the Guest OS (EUROSEC'11).

Digital Library

[40]

Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms (CCS'16).

Digital Library

[41]

VMWare. 2015. Disallowing inter-Virtual Machine Transparent Page Sharing. (2015). Retrieved 25.8.2017 from https://goo.gl/uH0zNP

[42]

Mark Wagner. 2011. KVM Performance Improvements and Optimizations. KVM Forum (2011).

[43]

Jidong Xiao, Zhang Xu, Hai Huang, and Haining Wang. 2012. A Covert Channel Construction in a Virtualized Environment (CCS'12).

Digital Library

[44]

Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-channel Attack (SEC'14).

Digital Library

[45]

Ziqiao Zhou, Michael K. Reiter, and Yinqian Zhang. 2016. A Software Approach to Defeating Side Channels in Last-Level Caches (CCS'16).

Digital Library

Cited By

Wang MZheng FLin JJiang FMa Y(2024)ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-ByIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343506219(7389-7403)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3435062
Hou XBreier JHou XBreier J(2024)Practical Aspects of Physical AttacksCryptography and Embedded Systems Security10.1007/978-3-031-62205-2_6(433-446)Online publication date: 9-Aug-2024
https://doi.org/10.1007/978-3-031-62205-2_6
Kim SHan MBaek W(2024)MARF: A Memory-Aware CLFLUSH-Based Intra- and Inter-CPU Side-Channel AttackComputer Security – ESORICS 202310.1007/978-3-031-51479-1_7(120-140)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_7
Show More Cited By

Index Terms

Secure Page Fusion with VUsion: https://www.vusec.net/projects/VUsion
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS'16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...
ANVIL: Software-Based Protection Against Next-Generation Rowhammer Attacks
ASPLOS '16

Ensuring the integrity and security of the memory system is critical. Recent studies have shown serious security concerns due to "rowhammer" attacks, where repeated accesses to a row of memory cause bit flips in adjacent rows. Recent work by Google's ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '17: Proceedings of the 26th Symposium on Operating Systems Principles

October 2017

677 pages

ISBN:9781450350853

DOI:10.1145/3132747

Copyright © 2017 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

SOSP '17

Sponsor:

SIGOPS
USENIX Assoc

SOSP '17: ACM SIGOPS 26th Symposium on Operating Systems Principles

October 28, 2017

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 131 of 716 submissions, 18%

Upcoming Conference

SOSP '24

Sponsor:
sigops

ACM SIGOPS 30th Symposium on Operating Systems Principles

November 5 - 8, 2024

Austin , TX , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
1,085
Total Downloads

Downloads (Last 12 months)39
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang MZheng FLin JJiang FMa Y(2024)ZeroShield: Transparently Mitigating Code Page Sharing Attacks With Zero-Cost Stand-ByIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343506219(7389-7403)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3435062
Hou XBreier JHou XBreier J(2024)Practical Aspects of Physical AttacksCryptography and Embedded Systems Security10.1007/978-3-031-62205-2_6(433-446)Online publication date: 9-Aug-2024
https://doi.org/10.1007/978-3-031-62205-2_6
Kim SHan MBaek W(2024)MARF: A Memory-Aware CLFLUSH-Based Intra- and Inter-CPU Side-Channel AttackComputer Security – ESORICS 202310.1007/978-3-031-51479-1_7(120-140)Online publication date: 12-Jan-2024
https://doi.org/10.1007/978-3-031-51479-1_7
Yan HCui C(2022)CacheHawkeye: Detecting Cache Side Channel Attacks Based on Memory EventsFuture Internet10.3390/fi1401002414:1(24)Online publication date: 8-Jan-2022
https://doi.org/10.3390/fi14010024
Barua APan LFaruque M(2022)BayesImposter: Bayesian Estimation Based.bss Imposter Attack on Industrial Control SystemsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564638(440-454)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564638
Branco RLee B(2022)Cache-related Hardware Capabilities and Their Impact on Information SecurityACM Computing Surveys10.1145/353496255:6(1-35)Online publication date: 29-Jun-2022
https://dl.acm.org/doi/10.1145/3534962
Breier JHou X(2022)How Practical Are Fault Injection Attacks, Really?IEEE Access10.1109/ACCESS.2022.321721210(113122-113130)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3217212
Karvandi MKhalaj Monfared SKiarostami MRahmati DGorgin S(2022)A TSX-Based KASLR Break: Bypassing UMIP and Descriptor-Table ExitingRisks and Security of Internet and Systems10.1007/978-3-031-02067-4_3(38-54)Online publication date: 9-Apr-2022
https://doi.org/10.1007/978-3-031-02067-4_3
Kurth MGras BAndriesse DGiuffrida CBos HRazavi K(2020): Practical Cache Attacks from the Network2020 IEEE Symposium on Security and Privacy (SP)10.1109/SP40000.2020.00082(20-38)Online publication date: May-2020
https://doi.org/10.1109/SP40000.2020.00082
Vano-Garcia FMarco-Gisbert H(2020)An Info-Leak Resistant Kernel Randomization for Virtualized SystemsIEEE Access10.1109/ACCESS.2020.30197748(161612-161629)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3019774
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents