[Whonix-devel] Fwd: Re: DRAMA countermeasures

bancfc at openmailbox.org bancfc at openmailbox.org
Wed Aug 24 13:36:45 CEST 2016 


-------- Original Message --------
Subject: Re: DRAMA countermeasures
Date: 2016-08-24 10:07
 From: Daniel Gruss <gruss at tugraz.at>
To: bancfc at openmailbox.org
Cc: peter.pessl at iaik.tugraz.at, clementine.maurice at iaik.tugraz.at, 
Stefan.Mangard at iaik.tugraz.at, whonix-devel at whonix.org

On 23.08.2016 19:18, bancfc at openmailbox.org wrote:
> Can you please go into more details on what can be done under such
> constraints?

Detection via performance counters could work... There is no work on 
detecting DRAMA with performance counters yet, but maybe Anders Fogh's 
blog post on the topic of detecting microarchitectural attack with 
performance counters is a good start: 
http://dreamsofastone.blogspot.co.at/2015/11/detecting-stealth-mode-cache-attacks.html

> Is there a concept of per-CPU memory boundaries within a single cell
> that can guarantee resource partitioning? Say 4GB RAM split among 4 
> CPUs
> - each CPU has a gig each (which becomes the max limit we can safely
> assign per guest)

I think hypervisors are aware of NUMA node memory. But I have no 
experience with setting up hypervisors in such setups...
If a guest is only on one CPU and no other guest is on that CPU, the max 
limit per guest is the amount of memory that is managed by the NUMA node 
of the CPU. Typically you will have some setup like 4 channels with each 
1 DIMM of 8GB RAM, 2 CPUs (each manages 2 channels in 1 NUMA node). Then 
you can safely assign the lower 16GB to one CPU and the higher 16GB to 
the other CPU. Then guests on different CPUs will be unable to attack 
each other using DRAMA. But as far as I know, hypervisors are aware of 
NUMA node memory and if you disable node interleaving, the hypervisor 
should not even let you assign memory that exceeds the size of a NUMA 
node.

> KVM supports memory locking so that not even the host can use the pages
> assigned to a VM. Can this help?:
> 
> "When set and supported by the hypervisor, memory pages belonging to 
> the
> domain will be locked in host's memory and the host will not be allowed
> to swap them out."

I'm not sure this is the right feature...

> Thanks. I hope my questions aren't a bother :) I appreciate your 
> feedback.

No, thank you for your interest in our work ;)


Cheers,
Daniel

More information about the Whonix-devel mailing list