Do those VMs have access to the internet?  

Yes they do. 

And, if you don't run sensitive processes on the main machine while the
VM is running and testing, then there is no sensitive data for any
malicious attack to gather.  

What about OS encryption keys related to LUKS ? And other things that are in memory, like Thunderbird obviously stores my Gmail username and password. 

To put your mind to rest, you will have to read the description of the
exploit, determine for yourself the conditions that allow it, and
prevent those conditions from occurring on your system.  

I am truing to learn as much as I can about the problem. 

On Fri, May 15, 2020 at 7:01 PM stan via users <users@lists.fedoraproject.org> wrote:
On Fri, 15 May 2020 17:29:31 +0530
Sreyan Chakravarty <sreyan32@gmail.com> wrote:

> On 5/15/20 1:03 AM, stan via users wrote:
> > If you are the only user on your machine, you almost certainly don't
> > have to worry about this. 
> That is good to hear.
> > The main threat of this attack was on cloud servers where many
> > different users are running under virtual machines. 
>
> This is the problem. I do some CTF practice from Kali Linux and I
> also have a Windows 10 VM to try out various untrusted or malicious
> software.

Do those VMs have access to the internet?  If they don't, they can't
communicate their results even if they do perform the attack.  When the
VM closes, they lose all their results.

> >   think for single use systems, Tom's response is the correct one,
> > but you can worry if you want. 
> Yeah, but what about single user systems that run a fair number of
> VMs ?

Well, unless you are the malicious attacker, they are still contained.
You have control of the VM.

And, if you don't run sensitive processes on the main machine while the
VM is running and testing, then there is no sensitive data for any
malicious attack to gather.

It can only gather data from a process running on the same core at the
same time.  If your main system is idle while you are testing in the
virtual machine, there is nothing for it to gather.

To put your mind to rest, you will have to read the description of the
exploit, determine for yourself the conditions that allow it, and
prevent those conditions from occurring on your system.  The simplest
way is to do as I describe above, only run software that might be
malicious in a VM (or on the main OS) while you are not doing sensitive
operations on the main OS or on another VM on the same core; sensitive
will primarily be surfing the web where you enter passwords for access.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org


--
Regards,
Sreyan Chakravarty