Restrict hardware information to root

It seems that from this forum post that the guest can get information about the host’s hardware such as your CPU. I’ve also tested this on Virtualbox and the CPU is shown.

Would it make sense to restrict /proc/cpuinfo, lspci and some files in /sys to root?

Has anyone tested whether other hardware information is leaked? Like motherboards, network adapters, GPUs etc.

Motherboard information can be found by running

cat /sys/devices/virtual/dmi/id/board_{vendor,name,version}

Virtualbox doesn’t leak the motherboard information. I haven’t tested this on other hypervisors.

Certain hardware devices like audio controllers and SATA controllers can be found by running lspci. Virtualbox spoofs this info. I haven’t tested this on other hypervisors either.

1 Like

This might make sense if it is possible.

This (change of default file permissions) should be reported as a bug or feature request upstream too (even if they don’t implement it - we benefit from their comments, perhaps would otherwise miss a good argument to not do this).

You suggested to hide from everyone but root, ok. (Edited)


Related, which was an attempt to hide hardware information even from root:

ticket on virtualbox hardware obfuscation - which was later reverted. The code is still here:

https://github.com/Whonix/Whonix/blob/3e174a96aa8852fd316901916c6bde8cc290bb61/build-steps.d/2600_create-vbox-vm#L172-L209

It could be enabled through an optional build parameter which would be easy to add but so far no one has asked for it.

ticket: remove attempts to hide CPU information from VM in VirtualBox

List here:

2 Likes

I meant to hide from everyone but root. It wouldn’t have anything to do with the actual hypervisors themselves but to do with the permissions on certain files. Hiding it from root as well would be good but it doesn’t seem possible on certain hypervisors so hiding it from regular users would be the next best thing.

1 Like

I misspoke.

Fixed.

You suggested to hide from everyone but root, ok. (Edited)

1 Like

What package would that be in? I’ll file a bug on their bug tracker.

2 Likes

I don’t know, either https://www.virtualbox.org and/or https://bugzilla.kernel.org.

1 Like

I’m about to file the bug but don’t know which category to put it in.

Which one should it be? “Other”?

1 Like

Other sounds good. I hope it would be re-assigned if need be.

1 Like

Just created it.

https://bugzilla.kernel.org/show_bug.cgi?id=203541

1 Like

I am not sure sound quite feature request alike / request for change of defaults alike. Let’s see what they say.

Alternatively, subject:

prevent non-root users from viewing hardware information from /proc/cpuinfo, /bin/lspci and /sys

text:

possibility of this being an identifier

Not sure they care. Can we make this a security argument? Principle of least privilege? What’s the use case for non-root users to view hardware information?

1 Like

Hardware information may be useful for an attacker to know what exploits in some firmware to use.

They could probably detect the firmware by seeing what modules are loaded though.

If your adversary is one with lots of resources then knowing the hardware may help in utilizing potential hardware backdoors. A bit extreme but seems possible.

1 Like

I don’t believe I was not aware of that.
What’s the situation with Qubes and KVM?

1 Like

See:

1 Like

From the comments,

KVM = Spoofed the CPU :white_check_mark:

Virtualbox = Failed to do that :heavy_multiplication_x:

Qubes = The most failure :x:

I am not sure if anything has changed.

At the moment I pass thru all CPU flags from the host to the guest to allow the guest kernel spectre/meltdown protections to kick in. Restricting this info to root is a great step.

Also preventing unprivileged processes from enumerating info from /proc/pid does make it harder for rowhammer attacks:

1 Like

Protocol Leak and Fingerprinting Protection‎ needs update then?

Yes though I need someone who doesn’t mind posting their CPU info on there. @nurmagoz can you please repeat the /proc/cpu tests and update the wiki?

2 Likes

For all hyporvisors or kvm only ?

2 Likes

KVM only.
VirtualBox when you get to it but I guess nothing changed.
In Qubes nothing changed either as far as I know.

1 Like

Grsecurity had a feature that restricted access to /sys to root only. This would help hide most hardware information from ordinary users except information in /proc.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sysfs/debugfs_restriction

There is a pull request to linux-hardened that provides an equivalent to this but it has not been accepted yet.

There was also a feature that hid a lot of information in /proc to non-root users. As far as I know, there is no equivalent to this in linux-hardened.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Restrict_/proc_to_user_only

1 Like