Restrict hardware information to root

madaidan · May 6, 2019, 4:28pm

It seems that from this forum post that the guest can get information about the host’s hardware such as your CPU. I’ve also tested this on Virtualbox and the CPU is shown.

Would it make sense to restrict /proc/cpuinfo, lspci and some files in /sys to root?

Has anyone tested whether other hardware information is leaked? Like motherboards, network adapters, GPUs etc.

Motherboard information can be found by running

cat /sys/devices/virtual/dmi/id/board_{vendor,name,version}

Virtualbox doesn’t leak the motherboard information. I haven’t tested this on other hypervisors.

Certain hardware devices like audio controllers and SATA controllers can be found by running lspci. Virtualbox spoofs this info. I haven’t tested this on other hypervisors either.

Patrick · May 6, 2019, 7:43pm

This might make sense if it is possible.

This (change of default file permissions) should be reported as a bug or feature request upstream too (even if they don’t implement it - we benefit from their comments, perhaps would otherwise miss a good argument to not do this).

You suggested to hide from everyone but root, ok. (Edited)

Related, which was an attempt to hide hardware information even from root:

ticket on virtualbox hardware obfuscation - which was later reverted. The code is still here:

github.com

Whonix/Whonix/blob/3e174a96aa8852fd316901916c6bde8cc290bb61/build-steps.d/2600_create-vbox-vm#L172-L209


hardware_obfuscation() {
   # This code is no longer in use!
   # remove attempts to hide CPU information from VM in VirtualBox
   # https://phabricator.whonix.org/T881
   # It could be enabled through an optional build option if there is interest.


   # Thanks to dumbmouse contributing this!
   # https://phabricator.whonix.org/T408#11595


   # Clear existing (not necessary for initial install)
   sudo $SUDO_OPTS vboxmanage modifyvm "$VMNAME" --cpuidremoveall


   # GenuineIntel
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/00000000/ebx 0x756e6547
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/00000000/ecx 0x6c65746e
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/00000000/edx 0x49656e69
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/80000000/ebx 0x756e6547
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/80000000/ecx 0x6c65746e
   sudo $SUDO_OPTS vboxmanage setextradata "$VMNAME" VBoxInternal/CPUM/HostCPUID/80000000/edx 0x49656e69

This file has been truncated. show original

It could be enabled through an optional build parameter which would be easy to add but so far no one has asked for it.

ticket: remove attempts to hide CPU information from VM in VirtualBox

List here:

madaidan · May 6, 2019, 8:28pm

I meant to hide from everyone but root. It wouldn’t have anything to do with the actual hypervisors themselves but to do with the permissions on certain files. Hiding it from root as well would be good but it doesn’t seem possible on certain hypervisors so hiding it from regular users would be the next best thing.

Patrick · May 6, 2019, 8:37pm

I misspoke.

Fixed.

You suggested to hide from everyone but root, ok. (Edited)

madaidan · May 6, 2019, 9:18pm

What package would that be in? I’ll file a bug on their bug tracker.

Patrick · May 7, 2019, 11:04am

I don’t know, either https://www.virtualbox.org and/or https://bugzilla.kernel.org.

madaidan · May 7, 2019, 7:14pm

I’m about to file the bug but don’t know which category to put it in.

Which one should it be? “Other”?

Patrick · May 7, 2019, 7:16pm

Other sounds good. I hope it would be re-assigned if need be.

madaidan · May 7, 2019, 7:34pm

Just created it.

https://bugzilla.kernel.org/show_bug.cgi?id=203541

Patrick · May 7, 2019, 7:52pm

I am not sure sound quite feature request alike / request for change of defaults alike. Let’s see what they say.

Alternatively, subject:

prevent non-root users from viewing hardware information from /proc/cpuinfo, /bin/lspci and /sys

text:

possibility of this being an identifier

Not sure they care. Can we make this a security argument? Principle of least privilege? What’s the use case for non-root users to view hardware information?

madaidan · May 7, 2019, 7:58pm

Hardware information may be useful for an attacker to know what exploits in some firmware to use.

They could probably detect the firmware by seeing what modules are loaded though.

If your adversary is one with lots of resources then knowing the hardware may help in utilizing potential hardware backdoors. A bit extreme but seems possible.

xariv · May 8, 2019, 6:26am

I don’t believe I was not aware of that.
What’s the situation with Qubes and KVM?

Patrick · May 8, 2019, 7:42am

See:

madaidan · May 8, 2019, 7:34pm

From the comments,

KVM = Spoofed the CPU

Virtualbox = Failed to do that

Qubes = The most failure

I am not sure if anything has changed.

HulaHoop · May 8, 2019, 8:19pm

At the moment I pass thru all CPU flags from the host to the guest to allow the guest kernel spectre/meltdown protections to kick in. Restricting this info to root is a great step.

Also preventing unprivileged processes from enumerating info from /proc/pid does make it harder for rowhammer attacks:

Patrick · May 9, 2019, 12:01am

https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection needs update then?

HulaHoop · May 9, 2019, 1:40am

Yes though I need someone who doesn’t mind posting their CPU info on there. @TNT_BOM_BOM can you please repeat the /proc/cpu tests and update the wiki?

TNT_BOM_BOM · May 9, 2019, 4:10am

For all hyporvisors or kvm only ?

Patrick · May 9, 2019, 5:14am

KVM only.
VirtualBox when you get to it but I guess nothing changed.
In Qubes nothing changed either as far as I know.

madaidan · August 9, 2019, 1:48pm

Grsecurity had a feature that restricted access to /sys to root only. This would help hide most hardware information from ordinary users except information in /proc.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sysfs/debugfs_restriction

There is a pull request to linux-hardened that provides an equivalent to this but it has not been accepted yet.

There was also a feature that hid a lot of information in /proc to non-root users. As far as I know, there is no equivalent to this in linux-hardened.

https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Restrict_/proc_to_user_only