VM Fingerprinting - linking two or more locally compromised VMs to the same pseudonym

To hide hardware identifiers, we could add a hardware info permission to sandbox-app-launcher. Then, only apps users have chosen can access hardware identifiers like CPU information.

Perhaps such a feature could be implemented in sandbox-app-launcher [archive] (development discussion [archive]) which would be useful in case of buggy / misbehaving applications not accidentally DDOS’ing the host as well as compromised applications trying to benchmark the VM.

Apparmor supports rlimit rules we can set.

https://manpages.debian.org/buster/apparmor/apparmor.d.5.en.html#rlimit_rules

In sandbox-app-launcher, currently it only sets a 200 process limit to prevent fork bombs but we can restrict it further.

rlimit supports many types of restrictions.

https://manpages.debian.org/buster/manpages-dev/setrlimit.2.en.html

2 Likes