On 21/10/16 21:38, bancfc@xxxxxxxxxxxxxxx wrote: > Cons: > *Some unforeseen way malicious VM "X" can link activities of or > influence traffic of VM "Y" > **Maybe sending NEWNYM requests in a timed pattern that changes exit IPs > of VM Y's traffic, revealing they are behind the same client? > **Maybe eavesdropping on HSes running on VM Y's behalf? > **Something else we are not aware of? If each VM has full access to the control port, even something as simple as "SETCONF DisableNetwork" could be used for traffic confirmation. ExcludeNodes, ExcludeExitNodes and MapAddress could be used to force another VM's traffic through certain nodes. Bandwidth events could be used for traffic analysis of another VM's traffic. ADDRMAP events look like they might leak information about the hosts another VM connects to. Likewise DANGEROUS_PORT leaks information about ports, HS_DESC about HS descriptor lookups. I'm not sure if covert channels between two VMs (e.g. for exfiltration) are part of your threat model, but events would be a rich source of those too. Cheers, Michael
Attachment:
0x9FC527CC.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev