Friday, January 30, 2015

Transparent Page Sharing Dilemma 2/2


Now that we learned what’s this Transparent Page Sharing (TPS) vulnerability is about, it’s time to see how you can secure your environment. If you are not following this series, read the past blog about it.

Everybody know that TPS shares identical pages of memory among VMs running on the same host to save some physical memory, that’s called Inter-VM. But just a few know that it also shares identical pages of memory within a VM, called Intra-VM.

To secure vSphere environments, VMware introduced the concept of Salting, which can control and manage the bounder of memory sharing among VMs.
To make it simple, you can think about it as Grouping, just VMs members of the same Group (Salt) share pages of memory, this way you can group VMs of the same client, customer or organization unit without worrying  those memories will be shared with unsecured VMs.
 


It’s behavior is ruled by the Hosts’ Advanced Setting of Mem.ShareForceSalting

This new capabilities were first introduced by the following patches:

 Up to the build releases above the default Salting behavior will looks like this:
By default Mem.ShareForceSalting = 0  which means TPS will work as always and memory will be shared among all VMs.
If you change Mem.ShareForceSalting = 1, then you enable Salting and the memory will be shared only among VMs of the same Salt group. (By default no VMs will be joined together on the same Salt Group)

To make VMs belong to the same Salt Group and so share memory among them, you need to change the VM’s Advanced Setting sched.mem.pshare.salt = “unique string”

Be aware that this defaul behavior will change starting with the following releases:
  • ESXi 5.5 U2d planned for Q1, 2015.
  • ESXi 5.1 U3 released on December 4, 2014.
  • ESXi 5.0 U3d planned for Q1, 2015.

The default Salting behavior will be Mem.ShareForceSalting=2

It’s important to notice that once you install those new builts the behavior of  Mem.ShareForceSalting=1 changes as well. If the VMs have no information of any Salt Group, then it’s memory will be shared among all others VMs.

Before this new capability the only way to disable TPS was to change the advanced setting Mem.ShareScanGHz from 4 to 0.
VMware strongly suggest using the new capability instead of this old method, so if you have made such adjustment revert it back from 0 to 4.

If you want to learn more about Salting behavior, check thos VMware's KB.
For initial Salting behavior, check KB2091682
For Salting behavior after the Update bundle, check KB2097593
 
 See you guys.


No comments:

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions.

Most Viewed Posts

Blog Archive