VMware Communities
UlyssesOfEpirus
Enthusiast
Enthusiast
‎01-10-2014 04:08 PM

Does the host wipe ram before giving it to a VM?

When a malware-free VM is shut down, it releases its ram to the host. The host can then give the same area of ram to another VM that carries malware.

Can the malware see the previous VM's data traces left in ram?  Or is ram wiped (filled with zeroes) before being given to a VM?

0 Kudos
7 Replies
weinstein5
Immortal
Immortal
‎01-10-2014 04:59 PM

All of VMware's hypersior do not allow 'cross contamination" of VMs being held in memory - each memory page is stored independently. Once a VM is shut down the memory is relaesed and even if there is fingerprint left since the VM us shut down the malware will not be able to infect the VM -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
UlyssesOfEpirus
Enthusiast
Enthusiast
‎01-11-2014 09:42 AM

The second VM has been previously infected, we are not concerned with a spread of the infection but with the existing malware accessing private data that the first VM left in memory.

0 Kudos
weinstein5
Immortal
Immortal
‎01-11-2014 01:06 PM

If the first VM is shut down it will not be accessing memory and as I indicated there is no cross conatmination of memory between running VMs -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos
UlyssesOfEpirus
Enthusiast
Enthusiast
‎01-12-2014 03:59 AM

Are you implying no private data exists in the physical ram when the first VM has been shut down?

0 Kudos
weinstein5
Immortal
Immortal
‎01-12-2014 06:36 AM

Yes - once the VM is shut down the memory is released

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
UlyssesOfEpirus
Enthusiast
Enthusiast
‎01-12-2014 01:12 PM

This is surprising to me because normal C applications using malloc() and free() in the host leave this data intact after they release the memory, which is taken advantage by certain malware trying to find out encryption keys after an encryption application has closed.

But not the vmware hypervisors?  Do you say that as a result of some study of the innards of the hypervisors, or is it just a general concept of release of memory you are familiar with?

0 Kudos
weinstein5
Immortal
Immortal
‎01-12-2014 06:24 PM

That is correct with a physical machine - in this case you have another layer - the virtual machine - which is assigned its memory - so when the irtual machine is shut down the VM memory is released back to the hypervisor ready to be used by other VMs or the Hypervisor itself -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
0 Kudos