[Whonix-devel] Exposing AnonVM Users with Dom0 Hardware Fingerprint Leaks
whonixqubes at riseup.net
Mon Feb 16 03:56:50 CET 2015
On 2015-02-16 1:11 am, Hakisho Nukama wrote:
> Optimally the underlying VM wouldn't expose hardware information at
> Apart from a default sanitized set of 1 CPU at X Mhz and Y MB RAM,
> disk and network controller and default input and output devices,
> with guaranteed resources and restriction on maximum resource
> So every workload running in an anonvm under these constrains should
> behave exactly identical, whether it runs on laptop A, laptop B or
> desktop C
> and should not be influenced by other task running on the host machine
> (and vice versa, running task on this appvm shouldn't influence host
> VirtualBox used with Whonix does hide the processor model and
> but not frequency.
> Is there a way in cloaking all these information with modifications to
> a hypervisor?
> Or is there a reliable way to mask these information with a customized
> This could evaporate the need of an anonymously obtained extra piece of
> hardware for low risk situations.
I was going to post on this CPU/hardware fingerprinting issue soon.
Currently, Qubes/Xen exposes the underlying host CPU information.
Just try running this in any ordinary VM...
And so *ANYTHING* that has access or gets access to your VMs will know
your unique machine's CPU info.
Qubes is based on the concept that the bloated monolithic OSes (Linux,
Windows, etc) that the individual VMs run on are relatively easy to
exploit and penetrate into. So, for security, Qubes implements very
strong isolation between VMs to counter this threat.
However, when applied to the goal of privacy/anonymity, Qubes isolation
breaks down when such underlying host information is freely given and
exposed to VMs. And so even AnonVMs can be easily fingerprinted as very
likely belonging to the same human person (e.g. exact same CPU info
recorded between multiple compromised AnonVMs).
I'd be very interested in answers or solutions to Hakisho's question
"Is there a way in cloaking all these information with modifications to
Can Qubes sanitize the CPU -- and other unique hardware -- information
passed down from the Xen hypervisor to VMs?
This would be very important for any platform supporting
privacy/anonymity, as even VirtualBox seems to go further with.
Fixed dedicated resource utilization in VMs would be the ultimate as
Hakisho suggests, but at least simply sanitizing unique hardware info
would be a basic first step.
I also wonder if anybody here knows of other unique host information or
hardware (beyond the CPU or internal VM IP) that gets exposed to
ordinary VMs, or documented methods for testing such things?
I'm going to be exploring this issue in greater depth this year for
Qubes + Whonix and am hungry for all the good info I can get.
But, the big blatant AnonVM fingerprinting issue I noticed so far, for
Qubes, was the leak of unique host CPU info to all ordinary VMs.
CC'd to whonix-devel
More information about the Whonix-devel