←back to thread

Fun-reliable side-channels for cross-container communication

(h4x0r.org)
16 points viega | 4 comments | 12 Nov 25 13:52 UTC | HN request time: 0.2s | source
Show context
simonw ◴[12 Nov 25 16:45 UTC] No.45902348[source]
Here's a recipe for running the proof of concept using Docker on a Mac:

  cd /tmp
  wget https://github.com/crashappsec/h4x0rchat/blob/9b9d0bd5b2287501335acca35d070985e4f51079/h4x0rchat.c
  docker run --rm -it -v "$PWD:/src" \
    -w /src gcc:13 bash -lc 'gcc -Wall -O2 \
    -o h4x0rchat h4x0rchat.c && ./h4x0rchat'
Animated screenshot demo here: https://simonwillison.net/2025/Nov/12/h4x0rchat/
replies(1): >>45902872 #
1. restlake ◴[12 Nov 25 17:23 UTC] No.45902872[source]
super interesting pseudo IPC channel and at least mildly concerning from a security perspective. saw it on your site first and am shocked there is not a single other comment yet here

was hoping to find at least one “cmon this is easy to avoid with X thing in the kernel/OS” info nugget dropped

replies(2): >>45903009 #>>45903070 #
2. simonw ◴[12 Nov 25 17:32 UTC] No.45903009[source]
I'm not sure how much of a security concern this one is, at least for the kinds of things I care about with respect to containers.

I want my containers to be able to run work without other containers spying on them (already hard thanks to timing attacks).

This IPC channel only works if both containers are collaborating together. I don't think you can use it to spy on my container if my container isn't actively participating.

3. viega ◴[12 Nov 25 17:36 UTC] No.45903070[source]
Agreed that this is not a critical problem, and the cooperative side channel can be useful in otherwise uncooperative environments.

The article does mention wanting to coordinate across multiple identical processes running on the same node in a wide variety of environments as the motivator.

So maybe it should be a feature, not a bug :)

replies(1): >>45910140 #
4. restlake ◴[13 Nov 25 03:19 UTC] No.45910140[source]
two well-balanced takes making me think I should embrace the fun parts of this design and worry less about the risks! it’s a pretty cool idea and impressive it works