Restrict hardware information to root

madaidan · May 6, 2019, 4:28pm

It seems that from this forum post that the guest can get information about the host’s hardware such as your CPU. I’ve also tested this on Virtualbox and the CPU is shown.

Would it make sense to restrict /proc/cpuinfo, lspci and some files in /sys to root?

Has anyone tested whether other hardware information is leaked? Like motherboards, network adapters, GPUs etc.

Motherboard information can be found by running

cat /sys/devices/virtual/dmi/id/board_{vendor,name,version}

Virtualbox doesn’t leak the motherboard information. I haven’t tested this on other hypervisors.

Certain hardware devices like audio controllers and SATA controllers can be found by running lspci. Virtualbox spoofs this info. I haven’t tested this on other hypervisors either.

Patrick · May 6, 2019, 7:43pm

This might make sense if it is possible.

This (change of default file permissions) should be reported as a bug or feature request upstream too (even if they don’t implement it - we benefit from their comments, perhaps would otherwise miss a good argument to not do this).

You suggested to hide from everyone but root, ok. (Edited)

Related, which was an attempt to hide hardware information even from root:

ticket on virtualbox hardware obfuscation - which was later reverted. The code is still here:

https://github.com/Whonix/Whonix/blob/3e174a96aa8852fd316901916c6bde8cc290bb61/build-steps.d/2600_create-vbox-vm#L172-L209

It could be enabled through an optional build parameter which would be easy to add but so far no one has asked for it.

ticket: remove attempts to hide CPU information from VM in VirtualBox

List here:

madaidan · May 6, 2019, 8:28pm

I meant to hide from everyone but root. It wouldn’t have anything to do with the actual hypervisors themselves but to do with the permissions on certain files. Hiding it from root as well would be good but it doesn’t seem possible on certain hypervisors so hiding it from regular users would be the next best thing.

Patrick · May 6, 2019, 8:37pm

I misspoke.

Fixed.

You suggested to hide from everyone but root, ok. (Edited)

madaidan · May 6, 2019, 9:18pm

What package would that be in? I’ll file a bug on their bug tracker.

Patrick · May 7, 2019, 11:04am

I don’t know, either https://www.virtualbox.org and/or https://bugzilla.kernel.org.

madaidan · May 7, 2019, 7:14pm

I’m about to file the bug but don’t know which category to put it in.

Which one should it be? “Other”?

Patrick · May 7, 2019, 7:16pm

Other sounds good. I hope it would be re-assigned if need be.

madaidan · May 7, 2019, 7:34pm

Just created it.

https://bugzilla.kernel.org/show_bug.cgi?id=203541

Patrick · May 7, 2019, 7:52pm

I am not sure sound quite feature request alike / request for change of defaults alike. Let’s see what they say.

Alternatively, subject:

prevent non-root users from viewing hardware information from /proc/cpuinfo, /bin/lspci and /sys

text:

possibility of this being an identifier

Not sure they care. Can we make this a security argument? Principle of least privilege? What’s the use case for non-root users to view hardware information?

madaidan · May 7, 2019, 7:58pm

Hardware information may be useful for an attacker to know what exploits in some firmware to use.

They could probably detect the firmware by seeing what modules are loaded though.

If your adversary is one with lots of resources then knowing the hardware may help in utilizing potential hardware backdoors. A bit extreme but seems possible.

xariv · May 8, 2019, 6:26am

I don’t believe I was not aware of that.
What’s the situation with Qubes and KVM?

Patrick · May 8, 2019, 7:42am

See:

madaidan · May 8, 2019, 7:34pm

From the comments,

KVM = Spoofed the CPU

Virtualbox = Failed to do that

Qubes = The most failure

I am not sure if anything has changed.

HulaHoop · May 8, 2019, 8:19pm

At the moment I pass thru all CPU flags from the host to the guest to allow the guest kernel spectre/meltdown protections to kick in. Restricting this info to root is a great step.

Also preventing unprivileged processes from enumerating info from /proc/pid does make it harder for rowhammer attacks:

Patrick · May 9, 2019, 12:01am

Protocol Leak and Fingerprinting Protection‎ needs update then?

HulaHoop · May 9, 2019, 1:40am

Yes though I need someone who doesn’t mind posting their CPU info on there. @nurmagoz can you please repeat the /proc/cpu tests and update the wiki?

nurmagoz · May 9, 2019, 4:10am

For all hyporvisors or kvm only ?

Patrick · May 9, 2019, 5:14am

KVM only.
VirtualBox when you get to it but I guess nothing changed.
In Qubes nothing changed either as far as I know.

madaidan · August 9, 2019, 1:48pm

Grsecurity had a feature that restricted access to /sys to root only. This would help hide most hardware information from ordinary users except information in /proc.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sysfs/debugfs_restriction

There is a pull request to linux-hardened that provides an equivalent to this but it has not been accepted yet.

github.com/anthraxx/linux-hardened

Add equivalent to GRKERNSEC_SYSFS_RESTRICT

Commit by

theLOICofFRANCE in [4.14 lts] Various hardening to be analysed.

anthraxx:4.14-lts ← theLOICofFRANCE:4.14-lts

This code is modified from Brad Spengler/PaX Team's code in the last public pat…ch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and any filesystem normally mounted under it (e.g. debugfs) will only be accessible by root. These filesystems generally provide access to hardware and debug information that isn't appropriate for unprivileged users of the system. Sysfs and debugfs have also become a large source of new vulnerabilities, ranging from infoleaks to local compromise. There has been very little oversight with an eye toward security involved in adding new exporters of information to these filesystems, so their use is discouraged. This option is equivalent to a chmod 0700 of the mount paths.

There was also a feature that hid a lot of information in /proc to non-root users. As far as I know, there is no equivalent to this in linux-hardened.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Restrict_/proc_to_user_only