Linux kernel maintainers have already carried out mitigations for VMScape by including an Oblique Department Prediction Barrier (IBPB) on every VMEXIT instruction, which happens when a visitor executes a privileged instruction. Researchers discovered this mitigation introduces solely marginal efficiency overhead in frequent eventualities.
“Most techniques are weak to some vBTI primitives,” the researchers famous. “Since VMScape solely impacts virtualized environments, techniques that by no means run untrusted code in native VMs should not straight exploitable. However, given the widespread use of cloud providers, it’s probably that you simply depend on infrastructure working on weak {hardware}.”
The Xen hypervisor will not be affected by this subject, however the impression on different hypervisors that don’t depend on KVM, akin to Microsoft Hyper-V, VMware, or VirtualBox, stays unclear. The researchers disclosed their findings to AMD, Intel, and the Linux kernel maintainers liable for KVM.
