p55 has a nice explanation how how AVX instructions affect power and clock rate followed by a timing channel built on it. Encourages people to try it between VM’s. I wonder if anyone filed this as a vulnerability yet. They knew one container or VM using it can drag others down by 2018.
This is why virtualization is not meant to be used with security-sensitive applications. If your application or system needs increased security, but needs to be split across multiple environments, best to stick with multiple physical systems.
Oh, I agree! People keep getting tricked by these companies pushing clouds and desktop VM’s into thinking otherwise. This one might be caught in detection. Due to binary obfuscations, gotta build from source followed by a scan to check. Many of the attacks aren’t easy to scan for in apps that don’t include necessary information to aid analysis. So, it’s a gamble or use physical separation.
That said, physical separation has its own risks when sharing happens. There’s much stronger techniques available for controlled sharing, though. A high-security KVM and guard are both easier to make than turning a x86 CPU + graphics stack into a secure, multi-tenant box.