Am Thu, 9 Jun 2016 09:18:40 +0100
David Chisnall <> schrieb:

> If this paper is the one that I think it is, then I was one of the reviewers. 
>  Their
> attack is neat, but it depends quite a lot on being able to deterministically 
> trigger
> deduplication.  Their proof-of-concept exploit was on Windows (and JavaScript 
> attack
> was really fun) and I’m not convinced that it would work reliably on Linux or 
> VMWare
> ESX, which both defer deduplication for as long as possible to avoid 
> NUMA-related
> overheads.
> We don’t currently have a FreeBSD implementation, but if someone wanted to 
> provide one
> then a defence against this attack would be fairly simple: count the number 
> of CoW
> faults that a process is receiving and if it reaches a certain threshold then 
> remove
> all of its memory from the set of eligible pages.  The attack relies on being 
> able to
> repeatedly trigger CoW faults and time whether they occur, with the same set 
> of pages.
> At least some existing implementations will make this impossible as these 
> pages will
> repeatedly be deduplicated and then duplicated and this is already a 
> pathological case
> that most memory deduplication implementations need to handle (as well as 
> being a
> security hole, it’s also a big performance killer).
> Kib has been working on ASLR for FreeBSD (I think it’s in 11?), but at this 
> point it’s
> more of a checkbox item than a serious mitigation technique.  It adds a 
> little bit of
> work for attackers, but there are so many attacks that can bypass ASLR even 
> with strong
> entropy that it just increases the work factor slightly.  If you’re running 
> code
> written in C, then you’re better off relying on Capscium compartmentalisation 
> to limit
> what the attacker can do once they’ve compromised it.
> David
> > On 8 Jun 2016, at 16:01, O. Hartmann <> wrote:
> > 
> > A couple of days I got as a responsible personell for a couple of systems a 
> > warning
> > about the vulnerabilities of the mechanism called "Kernel SamePage Mergin". 
> > On this
> > year's IEEE symposion there has been submitted a paper by Bosman et al., 
> > 2016,
> > describing an attack on KSM. This technique, also referred to as memory/page
> > deduplication, seems to be vulnerable by design under certain 
> > circumstances. I guess
> > the experts of the readers here do already know, but I consider myself a 
> > non-expert
> > and therefore, I'd like to ask about the status of that kind of development 
> > in
> > FreeBSD. I read about a project of last year's Google Summer of Code 2015 
> > targetting
> > KSM on FreeBSD.
> > 
> > In Linux, this deduplication techniques is implemented since kernel 2.6.38 
> > and Windows
> > Kernel uses this techniques since Windows 8.1 and sibblings (also Windows 
> > Server). We
> > were strongly advised to disable those "features" in Windows clients, 
> > servers and
> > Linux servers, if used.
> > 
> > Other papers describe successful attacks on memory contents and ASLR by 
> > misusing KSM.
> > On Windows, mmap() entropy is 19bit, on Linux usually 28bit. And FreeBSD (if
> > planned/used/already implemented?)? 
> > 
> > If you are interested I could provide links or PDFs of the papers I already 
> > gathered
> > about that subject (it is not much, simply google for "KSM FReeBSD" or KSM
> > deduplication ASLR).
> > 
> > Thanks in advance,
> > 
> > oh  

Hello David,

sorry for the lack of references. 

Bosman et al., 2016: doi: 10.1109/SP.2016.63
(, this paper has 
been subject
of a warning given to institutions.

An older one, but also interesting, is

Xiao et al., 2013: doi: 10.1109/DSN.2013.6575349

and this one 

Barresi et al., 2015 (

The first paper is of (my) concern, since it triggered some interests and 
couriosities of


Oliver Hartmann

Attachment: pgpAtW88lYTj2.pgp
Description: OpenPGP digital signature

Reply via email to