Now that we
learned what’s this Transparent Page Sharing (TPS) vulnerability is about, it’s
time to see how you can secure your environment. If you are not following this
series, read the past blog about it.
Everybody
know that TPS shares identical pages of memory among VMs running on the same
host to save some physical memory, that’s called Inter-VM. But just a few know
that it also shares identical pages of memory within a VM, called Intra-VM.
To secure
vSphere environments, VMware introduced the concept of Salting, which can
control and manage the bounder of memory sharing among VMs.
To make it
simple, you can think about it as Grouping, just VMs members of the same Group
(Salt) share pages of memory, this way you can group VMs of the same client,
customer or organization unit without worrying
those memories will be shared with unsecured VMs.
It’s
behavior is ruled by the Hosts’ Advanced Setting of Mem.ShareForceSalting
This new
capabilities were first introduced by the following patches:
- ESXi 5.5 Patch ESXi550-201410401-BG: Updates esx-base (2087359).
- ESXi 5.1 Patch ESXi510-201410401-BG: Updates esx-base (2084608).
- ESXi 5.0 Patch ESXi500-201410401-BG: Updates esx-base (2088883).
By default Mem.ShareForceSalting = 0 which means TPS will work as always and memory
will be shared among all VMs.
If you
change Mem.ShareForceSalting = 1,
then you enable Salting and the memory will be shared only among VMs of the
same Salt group. (By default no VMs will be joined together on the same Salt
Group)
To make VMs
belong to the same Salt Group and so share memory among them, you need to change
the VM’s Advanced Setting sched.mem.pshare.salt
= “unique string”
Be aware that this defaul behavior will change starting with the following releases:
- ESXi 5.5 U2d planned for Q1, 2015.
- ESXi 5.1 U3 released on December 4, 2014.
- ESXi 5.0 U3d planned for Q1, 2015.
The default
Salting behavior will be Mem.ShareForceSalting=2
It’s
important to notice that once you install those new builts the behavior of Mem.ShareForceSalting=1
changes as well. If the VMs have no information of any Salt Group, then
it’s memory will be shared among all others VMs.
Before this
new capability the only way to disable TPS was to change the advanced setting Mem.ShareScanGHz from 4 to 0.
VMware
strongly suggest using the new capability instead of this old method, so if you
have made such adjustment revert it back from 0 to 4.
If you want to learn more about Salting behavior, check thos VMware's KB.
For initial Salting behavior, check KB2091682
For Salting behavior after the Update bundle, check KB2097593
See you guys.