Fun-reliable side-channels for cross-container communication

17•viega•2mo ago

Comments

simonw•2mo ago

Here's a recipe for running the proof of concept using Docker on a Mac:

  cd /tmp
  wget https://github.com/crashappsec/h4x0rchat/blob/9b9d0bd5b2287501335acca35d070985e4f51079/h4x0rchat.c
  docker run --rm -it -v "$PWD:/src" \
    -w /src gcc:13 bash -lc 'gcc -Wall -O2 \
    -o h4x0rchat h4x0rchat.c && ./h4x0rchat'

Animated screenshot demo here: https://simonwillison.net/2025/Nov/12/h4x0rchat/

restlake•2mo ago

super interesting pseudo IPC channel and at least mildly concerning from a security perspective. saw it on your site first and am shocked there is not a single other comment yet here

was hoping to find at least one “cmon this is easy to avoid with X thing in the kernel/OS” info nugget dropped

simonw•2mo ago

I'm not sure how much of a security concern this one is, at least for the kinds of things I care about with respect to containers.

I want my containers to be able to run work without other containers spying on them (already hard thanks to timing attacks).

This IPC channel only works if both containers are collaborating together. I don't think you can use it to spy on my container if my container isn't actively participating.

viega•2mo ago

Agreed that this is not a critical problem, and the cooperative side channel can be useful in otherwise uncooperative environments.

The article does mention wanting to coordinate across multiple identical processes running on the same node in a wide variety of environments as the motivator.

So maybe it should be a feature, not a bug :)

restlake•2mo ago

two well-balanced takes making me think I should embrace the fun parts of this design and worry less about the risks! it’s a pretty cool idea and impressive it works

pizzafeelsright•2mo ago

That is a fun read. Shared systems indeed share outside their designer's intent.

Show HN: I'm 75, building an OSS Virtual Protest Protocol for digital activism

Show HN: I built Divvy to split restaurant bills from a photo

Hot Reloading in Rust? Subsecond and Dioxus to the Rescue

Skim – vibe review your PRs

Show HN: Open-source AI assistant for interview reasoning

Tech Edge: A Living Playbook for America's Technology Long Game

Golden Cross vs. Death Cross: Crypto Trading Guide

Hoot: Scheme on WebAssembly

What the longevity experts don't tell you

Monzo wrongly denied refunds to fraud and scam victims

They were drawn to Korea with dreams of K-pop stardom – but then let down

Show HN: AI-Powered Merchant Intelligence

Bash parallel tasks and error handling

Let's compile Quake like it's 1997

Reverse Engineering Medium.com's Editor: How Copy, Paste, and Images Work

Go 1.22, SQLite, and Next.js: The "Boring" Back End

Laibach the Whistleblowers [video]

Slop News - HN front page right now as AI slop

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else