On Fri, May 25, 2018 at 11:07 AM Marcelo Araujo <araujobsdp...@gmail.com> wrote:
> 2018-05-25 16:05 GMT+08:00 Daniel Braniss <da...@cs.huji.ac.il>: >> > On 25 May 2018, at 10:02, Darius Mihai <dariusmih...@gmail.com> wrote: >> > >> > On Fri, May 25, 2018 at 9:08 AM Daniel Braniss <da...@cs.huji.ac.il> wrote: >> > >> >> Hi, >> >> I’m trying out bhyve with different setups, but mailny FreeBSD (11.2 and >> > 12), and >> >> was wondering if there is any way for the client to know who is hosting >> > it? >> > >> >> thanks, >> >> danny >> > >> > Hi, >> > >> > What do you mean 'knowing who is hosting it?' >> > If you mean obtaining information such as IP address or hostname of the >> > host from inside the guest operating system, it should not be possible and >> > is likely a security flaw if it were allowed by default. >> ok, so not by default, but is there a way? >> i don’t know why this is a security flaw - maybe security by obscurity? in any case >> since the client knows that it’s running as a bhive client, (hw.hv_vendor), again, if >> this is also a security flaw, it could be set/reset when the client is being configured? Not really security by obscurity. The virtual machine should be a standalone construct that leaks no outside information to a malicious entity (e.g., a compromised HTTP server that an attacker used to obtain root permissions on the virtual machine). That being said, some information (e.g., that the OS is running as a virtual machine) is required by specific drivers for virtual devices with increased performance (e.g., networking without vtnet is almost unusable; vtnet is a VirtIO device that declares a specific device number to the driver). This information is considered largely harmless, since you cannot obtain information on host IP address, name, hardware resources, host operating system version and applications, etc., but may require rework in the future if exploits based on it emerge. >> thanks, >> danny > Maybe you can use virtio-console and bhyve-vm-goagent? > https://github.com/freenas/bhyve-vm-goagent I'm not sure about how this works; on the readme it says you can read guest information. If it is bidirectional, it is similar to the webserver idea I had in mind. > Best, >> > >> > Operating systems should ideally be unable to determine even that the >> > system is a virtual machine instead of a hardware based host; however since >> > bhyve uses VirtIO devices and other virtualization mechanisms due to >> > performance issues you are indeed able to determine that the OS is running >> > in a virtual machine. More specific information should be impossible to >> > obtain if not injected by the host (e.g., running a web server on the host >> > with some information, adding a virtual block device with a configuration >> > file, and so on). >> > >> > Darius >> > >> >> _______________________________________________ >> >> freebsd-virtualization@freebsd.org mailing list >> >> https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization >> >> To unsubscribe, send any mail to " >> > freebsd-virtualization-unsubscr...@freebsd.org" >> _______________________________________________ >> freebsd-virtualization@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization >> To unsubscribe, send any mail to " freebsd-virtualization-unsubscr...@freebsd.org" > -- > -- > Marcelo Araujo (__) > ara...@freebsd.org \\\'',) > http://www.FreeBSD.org \/ \ ^ > Power To Server. .\. /_) Darius _______________________________________________ freebsd-virtualization@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"