When using KSM (Kernel Same-page Mapping), if two completely identical pages of memory are owned by two completely isolated processes, for example, two virtual machines, will those pages be merged? Or will they remain separate due to the fact that each process is isolated from each other? I’m confused because the VMs boil down to a single process on the host, but it would seem like it’d be a rather significant issue if these pages were merged, so I assume they are kept separate?
I am also curious if this would differentiate from VMs vs containers?
In addition to the question of what will happen, in the event they are isolated, could that possibly be elaborated? I assume this is accomplished through the use of cgroups so that the two processes have their memory completely isolated, I would just like clarification on that.
Advertisement
Answer
Pages from different processes are merged, even and especially if they are owned by different VM instances. I say especially, because merging pages from different VMs provides the greatest effect that you can achieve by merging memory pages: It eliminates replication of a lot of library and kernel code that is identical in the VMs.
And this effect has already been used for a cache timing attack against the GnuPG 1.4.13 crypto library. The merged page containing the code of the GnuPG library was shared between two different VMs, and one VM was able to recover the key used by a crypto operation going on in the other. The attack was named “FLUSH+RELOAD” due to the processor instruction that was used to snoop the information.
Here is the link to the pdf describing the attack: https://eprint.iacr.org/2013/448.pdf