Exploiting Memory Page Management in KSM for Remote Memory Deduplication Attack

In virtualized environments, modern operating systems take advantage of memory deduplication feature to efficiently manage physical memory. However, the adoption of this technique has given rise to memory deduplication attacks that disclose memory pages used by a victim VM. All these attacks rely on the latency of the memory write operation to distinguish deduplicated pages from other pages. While performing such attacks in a cross-VM attack scenario is relatively straightforward, implementing a remote memory deduplication attack is not trivial due to the limitations in issuing memory write requests to the desired physical page on the remote machine. In this paper, we present a novel memory deduplication attack that exploits the memory page management mechanism in Kernel Samepage Merging (KSM). Modern implementation of KSM enforces the maximum number of shared pages for performance reasons. Therefore, if the number of pages with the same content exceeds the maximum page limit, they can refer to different physical pages despite having the same content. We exploit this property by intentionally mapping the maximum number of pages, causing two physical pages with the same content to exist in the physical memory. Unlike the previous work, our attack measures the latency for the memory unmap operation to figure out the victim VM's memory page. This novel type of attack allows an attacker to infer other applications' memory pages, such as the Nginx web server, without relying on the memory write operation.