
Attacking a co-hosted VM: A hacker, a hammer and two memory modules - Aissen
https://thisissecurity.stormshield.com/2017/10/19/attacking-co-hosted-vm-hacker-hammer-two-memory-modules/
======
AcerbicZero
VMware has been disabling their inter-VM memory deduplication (TPS) since 6.0
to avoid exactly these kinds of attacks. You can of course re-enable it, if
you want, and I've seen situations where its value far outpaced the potential
risk.

It also looks like ECC greatly reduces the potential for this to be exploited.

------
Animux
Doesn't this enable ksm, instead of disabling it like the article suggests?

    
    
      echo 1 > /sys/kernel/mm/ksm/run

~~~
Ne02ptzero
I think you're right. From the documentation [1]:

    
    
      set 0 to stop ksmd from running but keep merged pages,
      set 1 to run ksmd e.g. "echo 1 > /sys/kernel/mm/ksm/run",
      set 2 to stop ksmd and unmerge all pages currently merged,
          but leave mergeable areas registered for next run
      Default: 0 (must be changed to 1 to activate KSM,
                 except if CONFIG_SYSFS is disabled)
    

[1]
[https://www.kernel.org/doc/Documentation/vm/ksm.txt](https://www.kernel.org/doc/Documentation/vm/ksm.txt)

------
gabriel34
Is ECC memory enough to counter this?

~~~
CalChris
Similarly, is doubling the DRAM refresh rate still sufficient?

------
KGIII
Wouldn't the VM software itself using ASLR and running the VM in jails, such
as firejail for Linux, reduce the risks?

------
jperry
I hate this scroll jacking nonsense so much

~~~
tambourine_man
I mostly browse in Safari Reader mode. No highjacking, popup, dickbar, etc.
Looks and reads a lot better too.

~~~
dsr_
As soon as grey-on-white shows up, I tap the reader mode button. Firefox,
Safari, Chrome (via Just Read).

If that doesn't take care of it, they can't have wanted me to read it.

~~~
corobo
I hit the "DT" icon I put next to my address bar. Doesn't work on all elements
but if they're using <p> properly it'll make the text nice and dark

[https://chrome.google.com/webstore/detail/darken-
text/kmonkh...](https://chrome.google.com/webstore/detail/darken-
text/kmonkhbnghcmlhgbmlpagpapfomioidg?hl=en-US)

Definitely going to give that Just Read extension a go

------
benevol
TL;DR - Host on a VM, get hacked sooner or later.

~~~
amelius
That's not what the article says. The article says that with a specific
attack, one can change memory bits in running applications to which one should
not have access. This application could be a VM, or any other type of
application.

~~~
Confiks
I think the point of GP is rather that VPS shared hosting is ubiquitous, i.e.
"host on a shared machine, get hacked sooner or later".

~~~
jacquesm
I don't think that is a valid conclusion.

This is a pretty sophisticated attack requiring a lot of stuff to fall into
place (such as being provisioned on the same machine as the target), and even
though it is technically quite impressive I doubt it is a frequent enough
occurrence that you could conclude that if you host on a shared machine you're
going to get hacked sooner or later.

The chances of being hacked through some simpler and more direct vector are a
lot larger.

~~~
benevol
You're assuming targeted hacking. I'm not - lots of people hunt for machines
to add to their botnets.

~~~
jacquesm
Yes, and even in that case the best approach would be to pluck the low hanging
fruit, of which there is plenty.

Even botnet operators are aiming for the best ROI they can get.

------
jarym
All of this stuff coming to light and all while organisations are moving
sensitive data into the cloud. Ouch.

~~~
bevax
On-premise, with or without VMs, does not safe you from rowhammer, however.
That's just another use case, and not really surprising. Since you can modify
RAM, there aren't borders really.

~~~
_jal
True, but at least in the general case you control your adjacent VMs.

~~~
jarym
Exactly, its easy to get a VM on any of the major platforms and poke around to
see what might be going on in the same host as you.

~~~
benevol
At least one of the big hosters even lets you have VMs for free for a couple
of days (you get your money back if you cancel). That's more than enough time
for an automated process to check out tons of VMs (to add to your botnet) for
free.

