I’ve been giving this feature some thought, mostly because its going to be used by default in the future Whonix host you are working on. I think it would be better if its not enabled by default, here’s why:
The security assumptions about virtual environments is that each vm is a completely isolated instance that knows nothing about what’s happening outside it. The subject of this paper which we’ve discussed before, https://staff.aist.go.jp/c.artho/papers/EuroSec2011-suzaki.pdf , posses a pivacy problem for an isolated multi-workstation setup.
In a single workstation to gateway usecase, KSM isn’t problematic because technically, nothing going on, on the gateway even if known would endanger privacy. However should someone run multiple workstation vms, each with its own internal network for isolation, then with KSM all similar activities or processes running in the other vms, would register to an attacker who has compromised one of them. For example, that the same website has been visited in another vm too. This would allow cross-vm activity correlation - something too risky to allow IMHO.
Its not really KSMs fault but a common problem shared by using the equivalent feature on other hypervisors too.
The only concerning part:
4.3 Detection of Downloaded Files The memory disclosure attack can also be applied to find an opened file on a victim’s VM. We have tried to detect a logo file when Firefox shows a home page. We confirmed that the Google logo file was detected if page caching is enabled on Firefox. When the page cache was set to 0, detection failed. If an attacker leads a victim to a malicious home page which includes an identifiable logo file, the attacker can detect the page view from the victim’s VM. This disclosure attack is dangerous because it detects a page view even if the network is encrypted by TLS/SSL. Especially in a multi-tenant data center, this attack is serious, because it does not violate any SLA statements on cloud computing.