Virtual Machine Memory Page Deduplication Hack

17 Aug 2016

Memory page deduplication has been around for a number of years, and it is only now that security researchers from the Vrije Universiteit in Amsterdam have found a way to abuse this feature where a virtual machine host has two virtual machines running side by side on it which are sharing memory pages.

Both VMs need to have a page of identical data for this attack, known as Flip Feng Shui, and then a Rowhammer attack is performed.  This is a hack on the hardware, flipping bits in memory to cause capacitor errors.

Although difficult to achieve, it has been proven to work, and can be turned off at the hypervisor level.  Kernel Samepage Merging (KSM) is a feature of Linux hypervisors.  The VMware term is Transparent Page Sharing, XenServer calls it Memory CoW (Copy on Write).

The university has also demonstrated a similar hack on the Microsoft Edge browser, winning the Pwnie Award for Most Innovative Research on hacking at the Black Hat Conference in Las Vegas, April 2016.  The Pwnie award is known as the Oscar for hackers.

References:
http://www.theregister.co.uk/2016/08/12/vms_feng_shui_malware/
https://www.vu.nl/en/news-agenda/news/2016/jul-sep/new-hacking-technique-imperceptibly-changes-memory-virtual-servers.aspx
http://www.few.vu.nl/en/news-events/news-archive/2016/jul-sep/pwnie-award-for-most-innovative-research-on-hacking.aspx

Happy hacking,
Terry