Jump to content

VMware finds new post-paranoia RAM-saving tricks


steven36

Recommended Posts

Transparent Page Sharing is now off by default, which means more memory may be needed

VMware is rejigging the way it shares memory among virtual machines, after turning off Transparent Page Sharing (TPS) because academics identified insecurities in the technology.

TPS allows virtual machines to make more efficient use of RAM, so that more VMs can run on a host. But as VMware acknowledged in December 2014, “recent academic research …. … have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machine's [sic]”.

VMware said “This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment” and “believes information being disclosed in real world conditions is unrealistic”. But because the company has a “secure by default” policy it has turned off TPS by default in its products, meaning it is now possible to share pages within a VM rather than among different VMs.

For those who keep TPS turned off, VMware admits “This may increase the amount of host memory required to support the same number of workloads”. Which is exactly the kind of thing VMware generally tries not to do.

For now, VMware's answer is a series of patches that bring “a new salting mechanism … to help TPS determine which memory pages can be shared.”

There's also a new PowerShell script that reports on memory use and requirements to help admins cope with the change and better allocate memory.

VMware's taken a punt here because if the potential for TPS-enabled danger is as remote as it says, it's given users a headache they almost certainly don't need. Or is it being admirably paranoid?

Source

Link to comment
Share on other sites


  • Replies 4
  • Views 2k
  • Created
  • Last Reply

The following comments are not targetted at the OP, but the article itself :)

So, we dont need to change anything then???

Another non-story masquerading as a story because someone in a lab was able to, in a controlled lab environment, create an exploit (that would never be used in real life)

Anyone else getting tired of these stories?

Link to comment
Share on other sites


The following comments are not targetted at the OP, but the article itself :)

So, we dont need to change anything then???

Another non-story masquerading as a story because someone in a lab was able to, in a controlled lab environment, create an exploit (that would never be used in real life)

Anyone else getting tired of these stories?

You dont think the public has a right to know when they may be using vulnerable software ? I just share the news with others . Funny when Goggle made info like this public . Microsoft released a patch to fix it . Once the info is known then Hackers can apply it in real life . Ether we live in world were there's very little info on vulnerabilities or we live in a world were there's to much info . There dont seem to be no middle ground . I'm afraid you will be hearing a whole lot more reports soon . There trying to make it law in the US if you were hacked in a business you have to report it.

Link to comment
Share on other sites


The following comments are not targetted at the OP, but the article itself :)

So, we dont need to change anything then???

Another non-story masquerading as a story because someone in a lab was able to, in a controlled lab environment, create an exploit (that would never be used in real life)

Anyone else getting tired of these stories?

You dont think the public has a right to know when they may be using vulnerable software ? I just share the news with others . Funny when Goggle made info like this public . Microsoft released a patch to fix it . Once the info is known then Hackers can apply it in real life . Ether we live in world were there's very little info on vulnerabilities or we live in a world were there's to much info . There dont seem to be no middle ground . I'm afraid you will be hearing a whole lot more reports soon . There trying to make it law in the US if you were hacked in a business you have to report it.

I know where youre coming from and i appreciate the heads up. Like i said, nothing against you at all, and it still helps to be aware, but not alarmed :)

Im just tired of exploits in labs stories panicking people, when the reality is these exploits will never be exploited int he real world outside the smock and glove room :)

Link to comment
Share on other sites


Let me try and reassure you. When I used a virtual machine to compile your latest firewall firmware, I haven't browsed any websites whatsoever. Not even "secure" ones.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...