Timesync Disabling Attack & KVM Coutermeasures

libvirt can be told to ignore a guest’s request for restart. The actual action would be a silent shutdown. Same for when a crash happens, libvirt would just leave the machine in its shutdown state instead of booting it again.

This all hinges on what you think about the attack i described earlier. Should we just advise people not to do things on their host that would leak timestamps? Like browsing for instance. From what I got from the wiki, this is the only thing done on a Linux host that could leak this information.

Patrick any comment on this so I know how to proceed?

By the way, you may also be interested to read my existing bug reports against The Tor Project:

Maybe you get some similar ideas then.

Some are related to time related attacks:

I don’t think that would be beneficial. Why would an adversary who compromised the machine want to restart? The adversary can just run arbitrary malicious code, see the whole VM desktop, log all VM keystrokes, (after root compromise) load kernel modules, kexec (=boot) to new kernel without reboot and so forth.

I don’t think Linux is more affected by this compared to other operating systems.

We don’t really know in which places time stamps are leaked. Browser TLS is one thing. Other updaters may leak this as well, especially on Windows.

We’re already advising this:
Tips on Remaining Anonymous.
Tips on Remaining Anonymous

Existing documentation that needs updating:

Not a very good way to enforce this.

corridor might help for this use case:

At very least it contains code to extract Tor entry guards and to put them into an iptables firewall.

Just now posted an related feature request:

So some day at least there should be a host firewall we can advice using. Or even better, there should be a Whonix host operating system, that does this and other security related improvements.