[Whonix-devel] Fwd: Re: DRAMA countermeasures

bancfc at openmailbox.org bancfc at openmailbox.org
Wed Aug 24 13:34:53 CEST 2016



-------- Original Message --------
Subject: Re: DRAMA countermeasures
Date: 2016-08-23 20:18
 From: bancfc at openmailbox.org
To: Daniel Gruss <gruss at tugraz.at>
Cc: peter.pessl at iaik.tugraz.at, clementine.maurice at iaik.tugraz.at, 
Stefan.Mangard at iaik.tugraz.at, whonix-devel at whonix.org

On 2016-08-23 10:12, Daniel Gruss wrote:
> On 23.08.2016 00:34, bancfc at openmailbox.org wrote:
>> Very neat attack. We are looking at the options for 
>> countermeasures.[1]
> 
> Thank You!
> 
>> Please feel free to correct me, the options are:
>> 
>> * Running stress-m2 in parallel
> 
> At least -m2, or even more, depending on the system. And I'm not
> convinced that will reliably prevent attacks. We have seen both the
> covert and side channel being able to work in the presence of some
> noise. Even if reliability goes down it might not make an attack
> impossible. And, stress -m 2 is rather expensive.

I see. Thanks for making this clear.

> 
>> * NUMA with non-interleaved memory combined with CPU pinning
> 
> Yes.
> 
>> I prefer option two because its less resource intensive. However most
>> commodity (non-server) PCs have only a single NUMA node. Can this be
>> used meaningfully to prevent this attack?
> 
> Keeping tenants on different NUMA nodes with non-interleaved memory is
> effective to prevent the attack.
> 
> If the system has only a single NUMA node, it's more difficult.

Can you please go into more details on what can be done under such 
constraints?

> 
>> You don't have to but I'd appreciate if you give an example Libvirt
>> config [2] (for a system with 4 pCPUs one NUMA node) that defends
>> against DRAMA successfully.
> 
> Sorry, not much experience with libvirt ;)
> 
> Important part is that the VMs on the different CPUs cannot access
> memory of the other CPU. Then you prevent all cross-CPU DRAM attacks.

I am very new to NUMA in general so please overlook what I say if its 
dumb -

Is there a concept of per-CPU memory boundaries within a single cell 
that can guarantee resource partitioning? Say 4GB RAM split among 4 CPUs 
- each CPU has a gig each (which becomes the max limit we can safely 
assign per guest)


KVM supports memory locking so that not even the host can use the pages 
assigned to a VM. Can this help?:

"When set and supported by the hypervisor, memory pages belonging to the 
domain will be locked in host's memory and the host will not be allowed 
to swap them out."

> 
> If you have any other questions, feel free to ask!

Thanks. I hope my questions aren't a bother :) I appreciate your 
feedback.

> 
> Cheers,
> Daniel


More information about the Whonix-devel mailing list