Jump to: navigation, search

Advanced Deanonymization Attacks

(Redirected from Advanced Attacks)


This page aims to track and document advanced attacks[1] that also affect virtualized and anonymous systems like Whonix. Attacks discussed here tend to have very high accuracy and are easily feasible to devastating effect. They are mostly about abusing the underlying hardware design to undermine isolation barriers imposed by the software stack above. Exploiting buggy software remains the lowest hanging fruit for network adversaries, however we expect to see them expand their toolbox to include vectors like these because of the low to none chances of discovery.

Some definitions: Side Channels allow a malicious process to spy on events/data outside the VM. Local Covert Channels require collaboration between a malicious VM and an infected victim VM to leak confidential data. Network Covert Channels only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network. Behavioral tracking (also called biometric tracking) relies on spying on how you interact with your devices[2] rather than looking at the unique identifiers at the device, protocol or application levels.


CPU-induced network latency[3] TCP ISNs and temperature induced clock skews[4] DRAMA Cross-CPU attacks[5] Cross-VM CPU cache attacks[6][7] Keyboard/Mouse input fingerprinting[8]
Attack Type Covert Channel (network) Covert Channel (network) Covert (local) and Side Channel Covert (local) and Side Channel Behavioral Tracking
requires local compromise No No Yes Yes No
Attack Summary CPU load induces notice-able latency in network packets. CPU load skews clock crystal frequency. Changes detectable in TCP ISN field. Timing shared memory bank accesses allows data leaks also snooping on keystrokes. Shared CPU cache access latency leaks timing data of crypto processes. Timing of/between keystrokes and mouse movement speed/angles create individually unique patterns.
Mitigation Queue and release packets randomly with Netfilter. Rewrite TCP ISNs to conceal timer skews. Block clflush and tsc instructions. Remove all timers. Avoid multi-threading VMs. Alternatively use non-interleaved NUMA with pinned vCPUs. Pin vCPUs to separate pCPUs. Block tsc instructions. Remove all timers. Abstract keyboard/mouse input into a network layer and inject random delays.[9]
Fix Stage - Whonix KVM Near Production Planning Production Production Planning
Fix Stage - Whonix VirtualBox Near Production Planning - - Planning
Fix Stage - Qubes-Whonix Near Production Planning - - Planning

Time related attacks are a large class of their own, documented separately with some overlap here.

There are other advanced attacks not included in the table above but have had easy fixes such as avoiding some features of the hypervisor.



  1. https://phabricator.whonix.org/T540
  2. https://www.whonix.org/blog/biometric-fingerprinting
  3. https://phabricator.whonix.org/T530
  4. https://phabricator.whonix.org/T543
  5. https://phabricator.whonix.org/T541
  6. https://phabricator.whonix.org/T539
  7. Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud newer covert channel attack that needs same conditions of shared CPU cache
  8. https://phabricator.whonix.org/T542
  9. Removing fine-grained timers helps here too.

Random News:

Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.