Fun-Reliable Side-Channels for Cross-Container Communication

Postedabout 2 months agoActiveabout 2 months ago

viega

17 points

6 comments

h4x0r.orgTechstory

calmmixed

Debate

20/100

Container SecuritySide-ChannelsCross-Container Communication

Key topics

Container Security

Side-Channels

Cross-Container Communication

The post discusses a proof-of-concept for cross-container communication using side-channels, and the discussion revolves around the implications and potential uses of this technique.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

3-4h

Avg / period

1.5

Key moments

01Story posted
Nov 12, 2025 at 8:52 AM EST
about 2 months ago
Step 01
02First comment
Nov 12, 2025 at 11:45 AM EST
3h after posting
Step 02
03Peak activity
3 comments in 3-4h
Hottest window of the conversation
Step 03
04Latest activity
Nov 12, 2025 at 10:19 PM EST
about 2 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (6 comments)

Showing 6 comments

simonw

about 2 months ago

1 reply

Here's a recipe for running the proof of concept using Docker on a Mac:

  cd /tmp
  wget https://github.com/crashappsec/h4x0rchat/blob/9b9d0bd5b2287501335acca35d070985e4f51079/h4x0rchat.c
  docker run --rm -it -v "$PWD:/src" \
    -w /src gcc:13 bash -lc 'gcc -Wall -O2 \
    -o h4x0rchat h4x0rchat.c && ./h4x0rchat'

Animated screenshot demo here: https://simonwillison.net/2025/Nov/12/h4x0rchat/

restlake

about 2 months ago

2 replies

super interesting pseudo IPC channel and at least mildly concerning from a security perspective. saw it on your site first and am shocked there is not a single other comment yet here

was hoping to find at least one “cmon this is easy to avoid with X thing in the kernel/OS” info nugget dropped

viegaAuthor

about 2 months ago

1 reply

Agreed that this is not a critical problem, and the cooperative side channel can be useful in otherwise uncooperative environments.

The article does mention wanting to coordinate across multiple identical processes running on the same node in a wide variety of environments as the motivator.

So maybe it should be a feature, not a bug :)

restlake

about 2 months ago

two well-balanced takes making me think I should embrace the fun parts of this design and worry less about the risks! it’s a pretty cool idea and impressive it works

simonw

about 2 months ago

I'm not sure how much of a security concern this one is, at least for the kinds of things I care about with respect to containers.

I want my containers to be able to run work without other containers spying on them (already hard thanks to timing attacks).

This IPC channel only works if both containers are collaborating together. I don't think you can use it to spy on my container if my container isn't actively participating.

pizzafeelsright

about 2 months ago

That is a fun read. Shared systems indeed share outside their designer's intent.

View full discussion on Hacker News

ID: 45900185Type: storyLast synced: 11/20/2025, 1:35:57 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN