VMware disables inter VM Transparent Page Sharing (TPS) for security reasons

This posting is ~8 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

This morning I discovered a tweet from Derek Seaman in my timeline, that caught my attention.

TPS stands for Transparent Page Sharing and it’s one of VMware memory management technologies. VMware ESX(i) uses four different technologies to manage host and guest memory resources (check VMware KB2017642 for more information). The preference increases from TPS to swapping.

  • Transparent page sharing (TPS)
  • Ballooning
  • Memory Compression
  • Swapping

TPS is a technology by which redundant copies of memory pages are eliminated. You can understand TPS like some kind of memory deduplication. The hypervisor scans the memory periodically for memory pages that could be possibly  shared. For each candidate memory page a hash is calculated and it’s saved in a hash table. If a second candidate page has the same hash, a full bit-by-bit comparison for both pages is triggered. If both memory pages are identical, only one page is saved and the other memory page is reclaimed. TPS is enabled by default and shows good results, especially if you were running a lot VMs with the same OS, like in VDI or terminal server environments.

With the advent of hardware-assisted memory virtualization systems, like Intel EPT or AMD RVI, VMware changed the behaviour of TPS and how guest memory is backed to physical memory. Guest memory was now backed with larger memory pages (2MB instead of 4KB ) for better performance. But 4 KB pages were still used if there were no 2 MB continuous memory, e.g. in case of memory overcommitment or memory fragmentation. Using 2 MB memory pages has advantages, for sure, but in perspective of TPS it has two disadvantage:

  • small chance to find two identical memory pages
  • the expense of a bit-by-bit comparison is at 2 MB pages incredibly much higher than with 4 KB pages

The punchline is, that with hardware-assisted memory virtualization systems, TPS is only actively used if the host is under memory pressure. But it is still there and working.

Safety over performance

Yesterday VMware published KB2080735 (Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing). The purpose of this KB:

This article acknowledges the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMware’s precautionary measure of no longer enabling TPS in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.

Because of this, TPS will be disabled by default with the release of:

  • ESXi 5.5 Update release (Q1/ 2015)
  • ESXi 5.1 Update release (Q4/ 2014)
  • ESXi 5.0 Update release (Q1/ 2015)
  • The next major version of ESXi (ESXi 6.0)

Prior these updates VMware will release patches that introduce additional TPS management capabilities and that WILL NOT change the existing settings for inter VM TPS (check KB2091682). As stated in KB2080735, the planned ESXi patch releases are:

  • ESXi 5.5 Patch 3
  • ESXi 5.1
  • ESXi 5.0

The patches for ESXi 5.0 and 5.1 are planned for Q4/ 2014. For ESXi 5.5 a patch the patch is already available (ESXi550-201410401-BG).

My 2 cents

Several years ago, the deactivation of TPS would have been fatal. Today, and in consideration of “safety over performance”, I think it was the right decision. If your design heavily relies on TPS, then you maybe have a bad design. ;)

Also a good read:

Frank DennemanFuture direction of disabling TPS by default and its impact on capacity planning
Magnus AnderssonChanges in ESXi Transparent Page Sharing (TPS) behaviour
Kenneth van SurksumVMware decides to disable TPS in future ESXi releases by default
Marcel van den BergVMware wil disable Transparant Page Sharing by default in future ESXi releases
Andrea MauroBye bye Transparent Page Sharing
Chris WahlTransparent Page Sharing Vulnerable, Yet Largely Irrelevant

More will follow, ping me on Twitter if you found a good one!

5/5 - (3 votes)
Patrick Terlisten
Follow me

Leave a Reply

Your email address will not be published.