xxu36
commented
4 months ago @binxing Hi Cedric, I agree that the TCP port or Vsock are open so another user can utilize that to talk to acond. Of course, acond has many verification steps to possibly detect it, but this is still a possible DoS attack.
However, as for totally shutting down the VM, a user other than the one created the VM is not able to kill the VM. In the code of aconcli, VM shut down logic is currently implemented by sending the SIGTERM signal to the VM process. So if the user attempting to kill the VM is not the one who created it, he is not permitted to shutdown the VM or even list the status of this VM.
I did an experiment trying to shutdown a VM created by xiangquan:
[sgx@sgx-emr01 xxu36]$ ./aconcli shutdown -f tcp://:1025
Shutdown: cannot get VM pid for tcp://:1025: get pid for (tcp://:1025): cannot get matching pid
Similar result as trying to kill the VM process directly by kill command
[sgx@sgx-emr01 xxu36]$ kill -TERM 1383098
-bash: kill: (1383098) - Operation not permitted
binxing
Currently, we are forwarding a host TCP port to the
acondTCP port on the guest. But TCP ports don't have access control, so any user logged in the host can connect to the TCP port of any ACON TD without its owner's permission. Vsock doesn't have access control either. That means some intrusive commands such asaconcli shutdown -fcould allow one user to shutdown other users' ACON TDs.A simple fix is to forward
acondTCP port to a UNIX socket on the host. QEMU supports that option but we will need corresponding changes inaconcli.acondis NOT affected.