Hi Stefan,

On Tue, Jul 10, 2018 at 9:40 PM, Stefan Hajnoczi <stefa...@gmail.com> wrote:
> Two things come to mind:
>
> At that point both guest kernel and agent address-space layout
> randomization (ASLR) is finished.  ALSR makes it harder for memory
> corruption bugs to lead to real exploits because the attacker does not
> know the full memory layout of the process.  Cloned VMs will not benefit
> from ASLR because much of the memory layout of the guest kernel and
> agent will be identical across all clones.
>
Yes, indeed. I am not arguing that ASLR is retained with VM
templating. Just that ASLR is also compromised if one wants to use KSM
to save memory by sharing among different guests. Kata is already
shipping with KSM components and we are adding VM templating as a
better alternative.

> Software random number generators have probably been initialized at this
> point.  This doesn't mean that all cloned VMs will produce the same
> sequence of random numbers since they should incorporate entropy sources
> or use hardware random number generators, but the quality of random
> numbers might be reduced.  Someone who knows random number generators
> should take a look at this.
>
As Andrea pointed out earlier in his comments, we can configure the
random number generator to printk a warning if it's being used at boot
before it had its "shutdown" state restored. Then we can add a new
kata-agent request set the entropy and check for such warning after a
new VM is cloned and before it is given to the user. This way, we are
guaranteed that random numbers generated by each guest is created with
a different seed. Do you have other concern with this method?

Cheers,
Tao

Reply via email to