Software
0

Transparent Page Sharing Changes…

Just a heads up to say there are some changes in future vSphere releases to Transparent Page Sharing (TPS) to improve VM to VM security…

Academic research detailed possible hypervisor vulnerabilities associated with TPS, and VMware responded with guidance on how to disable TPS.

Up coming releases (5.1 Update 3 and others) of vSphere will be adding extra controls (salting mechanism) to TPS, combined with a new default setting that restricts TPS to individual VM’s.

  • The new salting mechanism allows administrators to control which VM’s share pages with each other.
  • The upcoming default will be such that VM’s do not share with each other and that a VM only shares with itself. This new behavior can be changed by the administrator and customers concerned about being able to overprovision can revert to the traditional TPS behavior.

As an example of the new TPS salting mechanism…

A hosting provider supporting one physical server that runs VM’s for both Company A and Company B. If the Administrator wanted to ensure there was no TPS between VM’s of different companies but there is TPS between VM’s of the same company, they could set the salt value for the Company A VMs to all be one value and the salt value for all the Company B VMs to be another. This effectively means that the group of Company A VMs would share among themselves and the group of Company B VMs would also share among themselves, but never the between Company A and Company B.

The two main KB’s that describe these changes to TPS are:

  • Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing KB 2080735
  • Additional Transparent Page Sharing management capabilities KB 2091682

Point to note, TPS exposure is not a VMware specific issue… A Red Hat analysis of the problem at https://securityblog.redhat.com/2014/07/02/its-all-a-question-of-time-aes-timing-attacks-on-openssl/

Related Posts
NSX vSphere 6.1 now GA
VMware NSX vSphere 6.1 Announced at VMWorld…
NSX Multi-Hypervisor 4.2.0 is now GA