[Whonix-devel] [qubes-devel] Re: Exposing AnonVM Users with Dom0 Hardware Fingerprint Leaks

Unman unman at thirdeyesecurity.org
Thu Feb 19 02:10:20 CET 2015

On Thu, Feb 19, 2015 at 12:46:58AM +0100, Radoslaw Szkodzinski wrote:
> >
> > Radoslaw,
> >
> > Thanks for your extensive feedback! :)
> >
> > However, we are talking at cross-purposes, I'm afraid.
> >
> > You primarily seem to be talking about de-anonymization based on internet
> > traffic data. Which is fine, but a level up from where I'm talking about
> > here.
> Not at all. I was talking about local deanonymization.
> > I'm talking about once an AnonVM has been compromised (not that hard in
> > bloated OSes like Linux, etc), and the attacker can see most-or-all
> > technical and user info contained within the AnonVM environment.
> Yes. There is nothing you can do about it.
> > As various factors stand right now, based on 2 AnonVM compromises, or based
> > on 1 AnonVM compromise correlated with other information databases, a person
> > can be de-anonymized based on the CPU model info that Qubes/Xen is exposing
> > to the AnonVM.
> Uh, you can be deanonymized just by tracking the usage patterns.
> However, a disposable/read-only VM would provide some measure of
> protection against exploit persistence.
> >From what I know, Tor/Anon VMs are not disposable (yet). This should
> be the first goal.

Am I missing something? It's trivial to make the dispvm an anonvm...

> >
> > There are other characteristics of the AnonVM environment (especially
> > non-hardware based) that make it uniquely fingerprintable in this way. I am
> > personally working on programming a software solution to these types of
> > "other" fingerprints in Qubes, this year in 2015.
> >
> > But, as it stands, once compromised (with is pretty trivial to do), a Qubes
> > AnonVM user could be de-anonymized in many scenarios based on their CPU info
> > being exposed to the AnonVM.
> No. CPUID provides only a few more bits of entropy for deanonymization.
> As opposed to, say, free memory and CPU use, which is a direct
> indication of usage.

Yes, this is right. It's just not true that CPU info is a unique
identifier although it's been repeatedly claimed in this thread.

look at the browser fingerprint of the TBB - sometimes I think you would
be better off running IE on XP with a cheap mass market pc. :-)

And is this local IP exposure disclosure anything new? I've seen
javascript leveraging java calls before to get local IP adresses.

More information about the Whonix-devel mailing list