If this paper is the one that I think it is, then I was one of the reviewers.  
Their attack is neat, but it depends quite a lot on being able to 
deterministically trigger deduplication.  Their proof-of-concept exploit was on 
Windows (and JavaScript attack was really fun) and I’m not convinced that it 
would work reliably on Linux or VMWare ESX, which both defer deduplication for 
as long as possible to avoid NUMA-related overheads.

We don’t currently have a FreeBSD implementation, but if someone wanted to 
provide one then a defence against this attack would be fairly simple: count 
the number of CoW faults that a process is receiving and if it reaches a 
certain threshold then remove all of its memory from the set of eligible pages. 
 The attack relies on being able to repeatedly trigger CoW faults and time 
whether they occur, with the same set of pages.  At least some existing 
implementations will make this impossible as these pages will repeatedly be 
deduplicated and then duplicated and this is already a pathological case that 
most memory deduplication implementations need to handle (as well as being a 
security hole, it’s also a big performance killer).

Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this 
point it’s more of a checkbox item than a serious mitigation technique.  It 
adds a little bit of work for attackers, but there are so many attacks that can 
bypass ASLR even with strong entropy that it just increases the work factor 
slightly.  If you’re running code written in C, then you’re better off relying 
on Capscium compartmentalisation to limit what the attacker can do once they’ve 
compromised it.

David

> On 8 Jun 2016, at 16:01, O. Hartmann <ohart...@zedat.fu-berlin.de> wrote:
> 
> A couple of days I got as a responsible personell for a couple of systems a 
> warning about
> the vulnerabilities of the mechanism called "Kernel SamePage Mergin". On this 
> year's IEEE
> symposion there has been submitted a paper by Bosman et al., 2016, describing 
> an attack
> on KSM. This technique, also referred to as memory/page deduplication, seems 
> to be
> vulnerable by design under certain circumstances. I guess the experts of the 
> readers here
> do already know, but I consider myself a non-expert and therefore, I'd like 
> to ask about
> the status of that kind of development in FreeBSD. I read about a project of 
> last year's
> Google Summer of Code 2015 targetting KSM on FreeBSD.
> 
> In Linux, this deduplication techniques is implemented since kernel 2.6.38 
> and Windows
> Kernel uses this techniques since Windows 8.1 and sibblings (also Windows 
> Server). We
> were strongly advised to disable those "features" in Windows clients, servers 
> and Linux
> servers, if used.
> 
> Other papers describe successful attacks on memory contents and ASLR by 
> misusing KSM. On
> Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
> planned/used/already implemented?)? 
> 
> If you are interested I could provide links or PDFs of the papers I already 
> gathered
> about that subject (it is not much, simply google for "KSM FReeBSD" or KSM 
> deduplication
> ASLR).
> 
> Thanks in advance,
> 
> oh

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to