This page aims to track and document advanced attacks that also affect virtualized and anonymous systems like Whonix. Attacks discussed here tend to have very high accuracy and are easily feasible to devastating effect. They are mostly about abusing the underlying hardware design to undermine isolation barriers imposed by the software stack above. Exploiting buggy software remains the lowest hanging fruit for network adversaries, however we expect to see them expand their toolbox to include vectors like these because of the low to none chances of discovery.
Some definitions: Side Channels allow a malicious process to spy on events/data outside the VM. Local Covert Channels require collaboration between a malicious VM and an infected victim VM to leak confidential data. Network Covert Channels only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network. Behavioral tracking (also called biometric tracking) relies on spying on how you interact with your devices rather than looking at the unique identifiers at the device, protocol or application levels.
|CPU-induced network latency||TCP ISNs and temperature induced clock skews||DRAMA Cross-CPU attacks||Cross-VM CPU cache attacks||Keyboard/Mouse input fingerprinting|
|Attack Type||Covert Channel (network)||Covert Channel (network)||Covert (local) and Side Channel||Side Channel||Behavioral Tracking|
|requires local compromise||No||No||Yes||Yes||No|
|Attack Summary||CPU load induces notice-able latency in network packets.||CPU load skews clock crystal frequency. Changes detectable in TCP ISN field.||Timing shared memory bank accesses allows data leaks also snooping on keystrokes.||Shared CPU cache access latency leaks timing data of crypto processes.||Timing of/between keystrokes and mouse movement speed/angles create individually unique patterns.|
|Mitigation||Queue and release packets randomly with Netfilter.||Rewrite TCP ISNs to conceal timer skews.||Block clflush and tsc instructions. Remove all timers. Avoid multi-threading VMs. Alternatively use non-interleaved NUMA with pinned vCPUs.||Pin vCPUs to separate pCPUs. Block tsc instructions. Remove all timers.||Abstract keyboard/mouse input into a network layer and inject random delays.|
|Fix Stage - Whonix KVM||Near Production||Planning||Production||Production||Planning|
|Fix Stage - Whonix VirtualBox||Near Production||Planning||-||-||Planning|
|Fix Stage - Qubes-Whonix||Near Production||Planning||-||-||Planning|
Time related attacks are a large class of their own, documented separately with some overlap here.
There are other advanced attacks not included in the table above but have had easy fixes such as avoiding some features of the hypervisor.
- Removing fine-grained timers helps here too.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.