VMware is rejigging the way it shares memory among virtual machines, after turning off Transparent Page Sharing (TPS) because academics identified insecurities in the technology.

TPS allows virtual machines to make more efficient use of RAM, so that more VMs can run on a host. But as VMware acknowledged in December 2014, “recent academic research …. … have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled between the two virtual machine's [sic]”.

VMware said “This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment” and “believes information being disclosed in real world conditions is unrealistic”. But because the company has a “secure by default” policy it has turned off TPS by default in its products, meaning it is now possible to share pages within a VM rather than among different VMs.

For those who keep TPS turned off, VMware admits “This may increase the amount of host memory required to support the same number of workloads”. Which is exactly the kind of thing VMware generally tries not to do.

For now, VMware's answer is a series of patches that bring “a new salting mechanism … to help TPS determine which memory pages can be shared.”

There's also a new PowerShell script that reports on memory use and requirements to help admins cope with the change and better allocate memory.

VMware's taken a punt here because if the potential for TPS-enabled danger is as remote as it says, it's given users a headache they almost certainly don't need. Or is it being admirably paranoid? ®