Memory Deduplication as a Protective Factor in Virtualized Systems

We introduce a method for protection against a side-channel attack made possible by the use of a cloud-computing feature called memory deduplication. Memory deduplication improves the efficiency with which physical memory is used by the virtual machines (VMs) running on the same server by keeping in memory only one copy of the libraries and other software used by multiple VMs. However, this allows an attacker's VM to find out the memory locations (and thus the operations) used by a victim's VM, as these locations are cached and can be accessed faster than memory locations not used by the victim. To perform the attack, the malicious VM needs to execute an abnormal sequence of cache flushes, and our new method detects this by monitoring memory locations associated with sensitive (e.g., encryption) operations and using logistic regression to identify the abnormal cached operations. Furthermore, by using its own cache flushing, our method disrupts the side channel, making it more difficult for the attacker to acquire useful information. The experiments we ran using the KVM hypervisor and Ubuntu 18.04 LTS VMs on both Debian 10 and CentOS physical servers show that our method can detect attacks with 99% accuracy, and can feed fake information to an attacker with between 2-8% CPU overheads.