Today VMware introduced additional capabilities to manage Transparent Page Sharing (TPS). This addition was prompted by recent academic research that leveraged TPS to gain unauthorized access to data under certain highly controlled conditions.

We also announced that starting in December with the next ESXi Update release, TPS among virtual machines will no longer be enabled by default. Even though we believe the security risk associated with enabling TPS is very low, VMware strives to be “secure by default” wherever possible.

The upcoming changes to the default TPS settings are explained in VMware Knowledge Base (KB) article 2080735. Documentation for the additional TPS management capabilities can be found in KB 2091682.

Customers are advised to review the usage of TPS in their environment (see KB 2091682) and plan for the upcoming ESXi Update releases which no longer have TPS between VM’s enabled by default. Note also that many systems utilize the hardware capabilities in modern processors to facilitate memory sharing which means large pages will be used. Due to this, TPS is likely not used except in situations where there is memory overcommitment, see KB 1021095 for further details.

We would like to thank Gorka Irazoqui, Mehmet Sinan Inci and the Vernam lab for working with VMware and sharing their side-channel research.

11/05 Update
The additional capabilities to manage Transparent Page Sharing are now available for ESXi 5.1, see KB 2091682.