The advent of virtualization technologies for commodity hardware has provided benefits with respect to managing large-scale computing resources for many clients with diverse needs, allowing various computing resources to be efficiently shared by multiple clients. For example, virtualization technologies may allow a single physical computing machine to be shared among multiple users by providing each user with one or more virtual machines hosted by the single physical computing machine, with each such virtual machine being a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators and administrators of a given hardware computing resource. Furthermore, some virtualization technologies are capable of providing virtual resources that span two or more physical resources, such as a single virtual machine with multiple virtual processors that spans multiple distinct physical computing systems. With virtualization, the single physical computing device can create, maintain or delete virtual machines in a dynamic manner. In turn, users can request computer resources from a service provider and be provided with varying numbers of virtual machine resources on an “as needed” basis or at least on an “as requested” basis.
In virtualized computing environments and in local computing systems, system resources, including physical memory pages, are sometimes shared between processes or applications executing in the system. For example, in a local system, malicious applications that attempt to spy on other executing processes or applications might share physical memory pages with those other processes or applications by means of a shared library. In a virtualized environment, malicious applications might share physical memory pages with a targeted process or application by means of Kernel SamePage Merging (KSM), in which identical memory pages are shared between different processes or applications (and, in some cases, users).
By measuring the timing of accesses to main memory on shared pages, a malicious application can be used to detect whether a target memory area resides in a cache. This cache residency can be correlated with recent usage of data in the memory area in the system by one of the processes or applications that shares access to the target memory area. An attacking program can continuously flush relevant memory areas from the caches in the system and observe the timing of accesses to those memory areas, thereby monitoring the behavior of a target program. Such attacks are sometimes referred to as timing side-channel attacks.
Some existing systems, in an attempt to prevent a timing side-channel attack, disable page de-duplication in the operating environment entirely. However, for virtualized environments, page de-duplication might be a legitimate and useful thing to do. Some hypervisors perform page de-duplication by default, and it can be difficult to fully disable page de-duplication. For example, if multiple virtual machines are started based on the same base image on disk, there can be many pages shared between them without the hypervisor doing anything. Note that in some operating systems, it is not possible to be sure whether an underlying hypervisor is disabling page de-duplication only for particular pages or for the entire shared memory system unless this feature can be completely controlled in a manner that is visible to a security module or another privileged user process. Similarly, on a local machine, it might be extremely impractical (and/or prohibitively costly in terms of time and/or resources) to disable page de-duplication. For example, disabling page de-duplication means that each application executing on the local machine require more memory, and application startup might be very slow because of the need to load all of the shared libraries for each application.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that the embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to.