[Whonix-devel] DRAMA countermeasures

Sun Aug 28 15:20:07 CEST 2016

On 2016-08-28 10:52, Daniel Gruss wrote:
> On 2016-08-27 21:05, bancfc at openmailbox.org wrote:
>> With KVM, CPU instructions can be masked out by QEMU and not be
>> available to guests. I already blacklisted clflush some time ago. The
>> different variants of the tsc instruction are not passed through by
>> default either.
> 
> That sounds very interesting. How does QEMU mask out instructions when
> using KVM with hardware virtualization extensions?

On x86 CPU capabilities are exposed via the CPUID instruction as a set 
of 32-bit integers with each bit given a specific meaning. AMD & Intel 
agree on common names for these bits. QEMU uses a scheme which combines 
a CPU model name string, with a set of named flags. On x86 the CPU model 
is mapped to a baseline CPUID mask, and the flags can be used to then 
toggle bits in the mask on or off. VMWare and Xen both expose the notion 
of CPUID masks directly in their guest configuration format.

QEMU-KVM can optionally emulate some instructions not found in the host 
model but it comes at a performance penalty. (has nothing to do with the 
above though)

> 
>> I was wondering how helpful all this is? and how much this remaining
>> timer can aid attacks?
> 
> As long as the guest can have true multithreading, removing timers
> does not make any difference.
> See Section 3.3 of
> https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_lipp.pdf
> - Moritz and Clémentine will present this at BlackHat Europe in
> November.
> Even without any timers, multithreading allows to obtain a
> sufficiantly accurate timestamp.
> 

Very cool :)

This is tricky haha. So essentially I would disable hyperthreading 
host-side to make sure this isn't available?
Some example code:
https://serverfault.com/a/720471

> 
> Cheers,
> Daniel