(codesandbox.io)

169 points hunvreus | 2 comments | 08 Apr 25 14:55 UTC | HN request time: 0.001s | source

Show context

londons_explore ◴[11 Apr 25 14:08 UTC] No.43653973[source]▶

Unmentioned: there are serious security issues with memory cloning code not designed for it.

For example, an SSL library might have pre-calculated the random nonce for the next incoming SSL connection.

If you clone the VM containing a process using that library, now both child VM's will use the same nonce. Some crypto is 100% broken open if a nonce is reused.

replies(7): >>43654026 #>>43654396 #>>43654513 #>>43654702 #>>43654894 #>>43655157 #>>43657321 #

generalizations ◴[11 Apr 25 14:13 UTC] No.43654026[source]▶

>>43653973 #

Sounds like it would simply be inappropriate to clone & use a VM that's assuming it's data is unique. This would also be true of other conditions, e.g. if you needed to spoof a MAC or IPv6 address & picked one randomly.

replies(1): >>43654077 #

1. londons_explore ◴[11 Apr 25 14:17 UTC] No.43654077[source]▶

>>43654026 #

The problem is modern software is so fiendishly complicated there almost certainly is stuff like that in the code. The question is where, and does it matter?

replies(1): >>43654228 #

2. generalizations ◴[11 Apr 25 14:32 UTC] No.43654228[source]▶

>>43654077 (TP) #

And the last question is, can the parts with stuff like that be extracted from the rest and run separately?

↑

We clone a running VM in 2 seconds (2022)