Advanced Deanonymization Attacks

(Redirected from Advanced Attacks)


This page aims to track and document advanced attacks[1] that also affect virtualized and anonymous systems like Whonix. Attacks discussed here tend to have very high accuracy and are easily feasible to devastating effect. They are mostly about abusing the underlying hardware design to undermine isolation barriers imposed by the software stack above. Exploiting buggy software remains the lowest hanging fruit for network adversaries, however we expect to see them expand their toolbox to include vectors like these because of the low to none chances of discovery.

Some definitions: Side Channels allow a malicious process to spy on events/data outside the VM. Local Covert Channels require collaboration between a malicious VM and an infected victim VM to leak confidential data. Network Covert Channels only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network. Behavioral tracking (also called biometric tracking) relies on spying on how you interact with your devices[2] rather than looking at the unique identifiers at the device, protocol or application levels.


CPU-induced network latency[3] TCP ISNs and temperature induced clock skews[4] DRAMA Cross-CPU attacks[5] Cross-VM CPU cache attacks[6][7] Keyboard/Mouse input fingerprinting[8]
Attack Type Covert Channel (network) Covert Channel (network) Covert (local) and Side Channel Covert (local) and Side Channel Behavioral Tracking
requires local compromise No No Yes Yes No
Attack Summary CPU load induces notice-able latency in network packets. CPU load skews clock crystal frequency. Changes detectable in TCP ISN field. Timing shared memory bank accesses allows data leaks also snooping on keystrokes. Shared CPU cache access latency leaks timing data of crypto processes. Timing of/between keystrokes and mouse movement speed/angles create individually unique patterns.
Mitigation Queue and release packets randomly with Netfilter. Rewrite TCP ISNs to conceal timer skews. Block clflush and tsc instructions. Remove all timers. Avoid multi-threading VMs. Alternatively use non-interleaved NUMA with pinned vCPUs. Pin vCPUs to separate pCPUs. Block tsc instructions. Remove all timers. Abstract keyboard/mouse input into a network layer and inject random delays.[9]
Fix Stage - Whonix KVM Near Production Planning Production Production Planning
Fix Stage - Whonix VirtualBox Near Production Planning - - Planning
Fix Stage - Qubes-Whonix Near Production Planning - - Planning

Time related attacks are a large class of their own, documented separately with some overlap here.

There are other advanced attacks not included in the table above but have had easy fixes such as avoiding some features of the hypervisor.



No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.