Friday, January 23, 2015

Transparent Page Sharing Dilemma 1/2

The big dilemma these days seems to be around disable or not disable Transparent Page Sharing (TPS), let me try through some light on the discussion.

Last year Worcester Polytechnic Institute released a paper called "Wait a minute ! A fast, cross-VM attack on AES", describing a vulnerability on vSphere environments.
In general, when  TPS is enable a user could flush the VM's memory and reload that memory from cache in order to gain an AES encryption key to use in a further attack.
As much as it sounds like Sci-Fi, it’s true. VMware has acknowledged that and even though believing  it's  very hard and unlikely to be successfully on an attack like that, they decided to take precautions about it, allowing us to disable TPS completely or adjusting it’s behavior a little bit (Next post I will cover how to adjust it)!

You might be asking yourself, what’s the impact of disabling TPS ?

Let’s cover that under 2 different aspects, security and performance.

- Security
Probably, on enterprises (private cloud) environments, all your VMs belong to the same company and you have a higher level of trust on your users, so enabling TPS would not be a big concern.
On the other hand, if you are a public cloud provider and you don’t know your users, disabling TPS will guarantee the isolation between them.

- Performance
 Since ESXi started to leverage Memory Large Pages, a looong time ago, TPS has not been making that difference on the majority of implementations anymore. Large Pages are hard to share among VMs, therefore you will notice a small utilization of it. But during memory contention periods, as one of it's memory reclamation techniques, the host breaks large pages into small pages, which are easy to share.
In summary, if your environment have high rates of overcommitment, then TPS is playing an importante role on your environment.

You can check if your system is a heavy user of TPS with esxtop.


Shared is the amount of memory of guest physical memory that is being shared.
Common is the amount of machine memory that is common across World(s).
Saving is the amount of machine memory that is saved due to page-sharing.


If you think reading that paper was boring, may be you can watch them explain it 
themselfes.




No comments:

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions.

Most Viewed Posts

Blog Archive