[libvirt] Enhancement: Random Clock Offset

For better system anonymity (to decouple VM OS timestamps leaked in traffic from host ones) a feature can be added to the clock offset variable to select randomly from a specified range of seconds from instead of a fixed number of seconds. That way a guest's clock can vary unpredictably from the host's and confuse correlation by network adversaries. Full Disclosure: I am from the Tor centric Whonix Project - whonix.org and this would be a very useful feature for us.

On Tue, Mar 01, 2016 at 07:51:48PM +0000, bancfc@openmailbox.org wrote:
For better system anonymity (to decouple VM OS timestamps leaked in traffic from host ones) a feature can be added to the clock offset variable to select randomly from a specified range of seconds from instead of a fixed number of seconds. That way a guest's clock can vary unpredictably from the host's and confuse correlation by network adversaries.
Full Disclosure: I am from the Tor centric Whonix Project - whonix.org and this would be a very useful feature for us.
Interesting idea. Should this be automated, I would expect this to be done above libvirt, using libvirt's APIs. Particularly virDomainSetTime [1] could be of use. There's a virsh command for that as well, called domtime that can be called from a script. HTH, Martin [1] https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainSetTime

On Wed, Mar 02, 2016 at 11:09:20AM +0100, Martin Kletzander wrote:
On Tue, Mar 01, 2016 at 07:51:48PM +0000, bancfc@openmailbox.org wrote:
For better system anonymity (to decouple VM OS timestamps leaked in traffic from host ones) a feature can be added to the clock offset variable to select randomly from a specified range of seconds from instead of a fixed number of seconds. That way a guest's clock can vary unpredictably from the host's and confuse correlation by network adversaries.
Full Disclosure: I am from the Tor centric Whonix Project - whonix.org and this would be a very useful feature for us.
Interesting idea. Should this be automated, I would expect this to be done above libvirt, using libvirt's APIs. Particularly virDomainSetTime [1] could be of use. There's a virsh command for that as well, called domtime that can be called from a script.
Agreed, this feature is really a specific usage policy. Libvirt aims to focus on providing mechanism, letting specific policies be implemented by the management applications using libvirt. We already allow the time offset to be set to an arbitrary number of seconds, so apps starting a guest can change that value as desired each time. So I don't think there is anything should do in libvirt for this. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On 2016-03-02 10:22, Daniel P. Berrange wrote:
Agreed, this feature is really a specific usage policy. Libvirt aims to focus on providing mechanism, letting specific policies be implemented by the management applications using libvirt. We already allow the time offset to be set to an arbitrary number of seconds, so apps starting a guest can change that value as desired each time. So I don't think there is anything should do in libvirt for this.
Regards, Daniel
:( I can't really use the guest-agent because its advised against running it in an untrusted environment. Has this situation changed? Also the changes we can do on the host side is really limited to just a VMs configuration XML to keep things simple and self contained.

On Fri, Mar 11, 2016 at 10:46:24PM +0000, bancfc@openmailbox.org wrote:
On 2016-03-02 10:22, Daniel P. Berrange wrote:
Agreed, this feature is really a specific usage policy. Libvirt aims to focus on providing mechanism, letting specific policies be implemented by the management applications using libvirt. We already allow the time offset to be set to an arbitrary number of seconds, so apps starting a guest can change that value as desired each time. So I don't think there is anything should do in libvirt for this.
Regards, Daniel
:( I can't really use the guest-agent because its advised against running it in an untrusted environment. Has this situation changed?
Also the changes we can do on the host side is really limited to just a VMs configuration XML to keep things simple and self contained.
In that case qemu can still help. And libvirt has a way to configure that. There's just one downside being that if the guest resets the time itself (e.g. based on ntp or whatever), it will not be reset. Example configuration: <clock offset='variable' adjustment='-12' basis='utc'/> This should set up the RTC in a way that it starts with the time of UTC minus 12 seconds. You can also set up the RTC to be in a specific timezone, but that's not as finely grained as you'd like, I guess. More info on how to set that up in our docs [1]. HTH, Martin [1] https://libvirt.org/formatdomain.html#elementsTime
participants (3)
-
bancfc@openmailbox.org
-
Daniel P. Berrange
-
Martin Kletzander