On 04/11/2011 11:25 AM, Stefan Hajnoczi wrote:
On Mon, Apr 11, 2011 at 4:27 PM, Anthony Liguori<anthony@xxxxxxxxxxxxx> wrote:
It's a deviation of a previously demonstrated attack where memory access
timing is used to guess memory content. This has been demonstrated in the
past to be a viable technique to reduce the keyspace of things like ssh keys
which makes attack a bit easier.
How can you reduce the key space by determining whether the guest has
arbitrary 4 KB data in physical memory?
I'm not sure that you can. But the way the cache timing attack worked
is that by doing a cache timing analysis in another process that's
sharing the cache with a process doing key generation, you can make
predictions about the paths taken by the key generation code which let's
you narrow down the key space.
Of course, even this is extremely hard to exploit because you need to
happen to be sharing a cache with something that's doing ssh key
generation, you have to know when it starts and when it ends, and you
have to know exactly what version of ssh is running. And even then,
it's just reduces the time needed to brute force. It still takes a long
time.
I think knowing whether a 4kb page is shared by some other guest in the
system is so little information that I don't see what you could
practically do with it that can't already be done via a cache timing attack.
Regards,
Anthony Liguori
Stefan
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html