Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing (2080735)

Purpose

This article acknowledges the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMware’s precautionary measure of restricting TPS to individual virtual machines by default in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.
 
Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machines. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment. .

Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default (TPS will still be utilized within individual VMs).

Below is further information on the changes to TPS and the new ways of managing TPS.

Details

Although VMware believes the risk of TPS being used to gather sensitive information is low, we strive to ensure that products ship with default settings that are as secure as possible. For this reason new TPS management options are being introduced and inter-Virtual Machine TPS will no longer be enabled by default in ESXi 5.5, 5.1, 5.0 Updates and inter-Virtual Machine TPS is not enabled by default as of ESXi 6.0. Administrators may revert to the previous behavior if they so wish.

The available Update releases are listed below. For more information on new management capabilities, see Additional Transparent Page Sharing management capabilities and new default settings (2097593).

Prior to the ESXi Update releases, VMware released ESXi patches that introduced the additional TPS management capabilities but did not change any default settings. The ESXi patch releases are:

Details on the additional TPS management capabilities for the ESXi patches are documented in Additional Transparent Page Sharing management capabilities in ESXi 5.5, 5.1, and 5.0 patches in Q4, 2014 (2091682).

Frequently Asked Questions

Where can I find more information on Transparent Page Sharing?

For more information on TPS, see Transparent Page Sharing (TPS) in hardware MMU systems (1021095).

Why is VMware disallowing inter-VM TPS in the ESXi Update releases?

Although VMware believes the risk of TPS being used to gather sensitive information is low, we strive to ensure that products ship with default settings that are as secure as possible.

Which ESXi releases will no longer allow inter-VM TPS by default?

ESXi 5.1U3 and future Update releases of ESXi 5.0 and 5.5.

Which ESXi patches will introduce the additional TPS management capabilities?

These ESXi patches introduce the additional TPS management capabilities:

Where are the additional TPS management capabilities documented?

For more information on additional TPS management capabilities, seeAdditional Transparent Page Sharing management capabilities in ESXi 5.5, 5.1, and 5.0 patches in Q4, 2014 (2091682) and  Additional Transparent Page Sharing management capabilities and new default settings in ESXi 5.5 Update 2d, ESXi 5.1 Update 3 and ESXi 5.0 Update 3d (2097593).

What will happen if TPS at the host level is switched off?

Disabling inter-Virtual Machine TPS may impact performance in environments that rely heavily on memory over-commitment. For more information on memory management techniques, see the ESXi and Virtual Machines section of the Performance Best Practices for VMware vSphere® 5.1 Guide.

Further, certain workloads such as VMware Horizon may achieve higher virtual machine consolidation ratios on ESXi hosts when TPS is enabled. For more information on memory considerations in Horizon environments, see the RAM Sizing Impact on Performance section of the View Architecture Planning Guide.

You should review the level of over-commitment before disabling inter-Virtual Machine TPS. The amount of inter-Virtual Machine TPS can be determined with the resxtop and esxtop command-line utilities. For more information, see the VMware vSphere 5.5 Documentation.

How can I prepare for the ESXi Update releases that no longer allow inter-Virtual Machine TPS by default?

VMware recommends monitoring your deployment's use of TPS before making any changes to the settings. For more information, see VMware ESXi 5.5, Patch ESXi550-201410401-BG: Updates esx-base (2087359).

How can inter-VM TPS be re-enabled after deploying the ESXi Update releases?

VMware Knowledge Base article Additional Transparent Page Sharing management capabilities in ESXi 5.5 patch October 16, 2014 and ESXi 5.1 and 5.0 patches in Q4, 2014 (2091682) documents how inter-Virtual Machine TPS can be re-enabled for all Virtual Machines and for groups of Virtual Machines.

What is the risk for information disclosure due to Transparent Page Sharing?

Currently, VMware believes that the risk of information disclosure described in the recent academic papers leveraging TPS between Virtual Machines is very small in real world conditions. The conditions under which the researchers were able to extract AES encryption keys are very specific and are unlikely to be present in a real world deployment.

What did the researchers find?

Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled. This technique works only in a highly controlled environment using a non-standard configuration.

Is inter-process side channel leakage a new area of research?

Side channel attacks that exploit information leakage from resources shared between processes running on a common processor is an area of research that has been explored for several years. Although largely theoretical, techniques are continuously improving as researchers build on each other’s work. Although this is not a problem unique to VMware technology, VMware does work with the research community to ensure that the issues are fully understood and to implement mitigation into our products when appropriate.

What is the previously documented way of disabling Transparent Page Sharing that was present in this KB before?

VMware strongly suggests using the new, additional TPS management capabilities to disable TPS. The earlier documented procedure to disable inter-Virtual Machine TPS on ESX\ESXi hosts is as follows:

To disable inter-Virtual Machine TPS on ESX\ESXi hosts: 

  1. Log in to ESX\ESXi or vCenter Server using the vSphere Client.
  2. If connected to vCenter Server, select the relevant ESX\ESXi host.
  3. In the Configuration tab, click Advanced Settings under the software section.
  4. In the Advanced Settings window, click Mem.
  5. Look for Mem.ShareScanGHz and set the value to 0.
  6. Click OK.
  7. Perform one of the following to make the TPS changes effective immediately:
    • Migrate all the virtual machines to other host in cluster and back to original host.
    • Shutdown and power-on the virtual machines.

 How can I disable Transparent Page Sharing on ESX\ESXi 4.x?

Use the steps shown in the previous section To disable inter-Virtual Machine TPS on ESX\ESXi hosts:.

What do I need to do if I am using the disable inter-Virtual Machine TPS on ESX\ESXi hosts above?

Prior to enabling salting (for more information, see Additional Transparent Page Sharing management capabilities in ESXi 5.5, 5.1, and 5.0 patches in Q4, 2014 (2091682)), the value of Mem.ShareScanGHz must be set to its default value of 4.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 21 Ratings
Actions
KB: