diff --git a/guide.md b/guide.md index b449357..61f9a09 100644 --- a/guide.md +++ b/guide.md @@ -341,6 +341,7 @@ Finally note that this guide does mention and even recommends various commercial - [Addons to install/consider:] - [Bonus resources:] - [Appendix W: Virtualization] + - [Nested virtualization risks] - [Appendix X: Using Tor bridges in hostile environments] - [Appendix Y: Installing and using desktop Tor Browser] - [Installation:][25] @@ -11736,12 +11737,36 @@ Here is a little basic illustration of what Virtualization is: Each Virtual Machine is a sandbox. Remember the reasons for using them are to prevent the following risks: -- Mitigate local data leaks and easier clean-up in case of risk (everything is contained within the VM and only the VM identifiers could be leaked and not the Host Hardware identifiers) +- Mitigate local data leaks and easier clean-up in case something gets messed up or it is suspected to be compromised. - Reduce malware/exploit attack surfaces (if your VM is compromised, the adversary still must figure out he is in a VM and then gain access to the Host OS which is not so trivial). - Mitigate online data leaks by being able to enforce strict network rules on Virtual Machines for accessing the network (such as passing through the Tor Network). +## Nested virtualization risks + +**There is an inherently larger attack surface when nesting virtualization.** + +Here's some host information that can be leaked through the Virtual Machine: + +- Organizationally unique identifier or OUI - the unique identifier assigned to VMWare Guest VMs; + +- Virtual Windows registry keys like `ProductID` might show the Host Machine's environment: + `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId XXXXX-123-1234567-12345` + +- HDD, GPU, and mouse drivers can be exposed through: `HKEY_LOCAL_MACHINE\System\CurrentControlSet\` + +- Registry entries will show that this is a virtual mouse: `%WINDIR%\system32\drivers\vmmouse.sys` + +- Descriptor Table Registers: + + - Since it's a Virtual Machine using the same CPU cores, the descriptor values are relocated due to there only being space for one of each identifier per CPU. This is a dead giveaway and is used in detection by advanced malware. It's employed by malware architects to tell when the program is being ran in a forensics environment, even such as a Remnux or Flare VM - popular OS and OS addons that are used by experts to analyze the malware. + +- Guest VMs also indirectly access the same hardware as the Host. + +See for more techniques used by malware to detect virtualization. These techniques are mostly prevented by appending some settings to your VM config file (.vmx). + + # Appendix X: Using Tor bridges in hostile environments In some environments, your ISPs might be trying to prevent you from accessing Tor. Or accessing Tor openly might be a safety risk. @@ -13814,6 +13839,7 @@ In short, our opinion is that you may use Session Messenger on iOS due to the ab [Addons to install/consider:]: #addons-to-installconsider [Bonus resources:]: #bonus-resources [Appendix W: Virtualization]: #appendix-w-virtualization + [Nested virtualization risks]: #nested-virtualization-risks [Appendix X: Using Tor bridges in hostile environments]: #appendix-x-using-tor-bridges-in-hostile-environments [Appendix Y: Installing and using desktop Tor Browser]: #appendix-y-installing-and-using-desktop-tor-browser [25]: #installation-6