[Whonix-devel] Fwd: Re: DRAMA countermeasures
bancfc at openmailbox.org
bancfc at openmailbox.org
Wed Aug 24 13:34:53 CEST 2016
-------- Original Message --------
Subject: Re: DRAMA countermeasures
Date: 2016-08-23 20:18
From: bancfc at openmailbox.org
To: Daniel Gruss <gruss at tugraz.at>
Cc: peter.pessl at iaik.tugraz.at, clementine.maurice at iaik.tugraz.at,
Stefan.Mangard at iaik.tugraz.at, whonix-devel at whonix.org
On 2016-08-23 10:12, Daniel Gruss wrote:
> On 23.08.2016 00:34, bancfc at openmailbox.org wrote:
>> Very neat attack. We are looking at the options for
> Thank You!
>> Please feel free to correct me, the options are:
>> * Running stress-m2 in parallel
> At least -m2, or even more, depending on the system. And I'm not
> convinced that will reliably prevent attacks. We have seen both the
> covert and side channel being able to work in the presence of some
> noise. Even if reliability goes down it might not make an attack
> impossible. And, stress -m 2 is rather expensive.
I see. Thanks for making this clear.
>> * NUMA with non-interleaved memory combined with CPU pinning
>> I prefer option two because its less resource intensive. However most
>> commodity (non-server) PCs have only a single NUMA node. Can this be
>> used meaningfully to prevent this attack?
> Keeping tenants on different NUMA nodes with non-interleaved memory is
> effective to prevent the attack.
> If the system has only a single NUMA node, it's more difficult.
Can you please go into more details on what can be done under such
>> You don't have to but I'd appreciate if you give an example Libvirt
>> config  (for a system with 4 pCPUs one NUMA node) that defends
>> against DRAMA successfully.
> Sorry, not much experience with libvirt ;)
> Important part is that the VMs on the different CPUs cannot access
> memory of the other CPU. Then you prevent all cross-CPU DRAM attacks.
I am very new to NUMA in general so please overlook what I say if its
Is there a concept of per-CPU memory boundaries within a single cell
that can guarantee resource partitioning? Say 4GB RAM split among 4 CPUs
- each CPU has a gig each (which becomes the max limit we can safely
assign per guest)
KVM supports memory locking so that not even the host can use the pages
assigned to a VM. Can this help?:
"When set and supported by the hypervisor, memory pages belonging to the
domain will be locked in host's memory and the host will not be allowed
to swap them out."
> If you have any other questions, feel free to ask!
Thanks. I hope my questions aren't a bother :) I appreciate your
More information about the Whonix-devel