Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information

 Actions

Advanced Deanonymization Attacks

Introduction[edit]

This page aims to track and document advanced attacks [1] that also affect virtualized and anonymous systems like Whonix. Attacks discussed below tend to have a very high accuracy rate and can easily have devastating impacts upon anonymity. The common thread to these attacks is abuse of the underlying hardware design to undermine isolation barriers imposed by the software stack operating above it. [2] Exploiting buggy software remains the lowest hanging fruit for network adversaries. It is expected they will further expand their toolbox and more regularly utilize these vectors, since the chances of discovery are minimal to none.

Attack Definitions[edit]

Table: Common Attack Vectors causing Data Leakage

Attack Vector Description
Side Channels Side channel attacks allow a malicious process to spy on events/data outside the VM.
Local Covert Channels Local covert channels require collaboration between a malicious VM and an infected victim VM to leak confidential data.
Network Covert Channels Network covert channels only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network.
Biometric Tracking Behavioral tracking (also called biometric tracking) relies on spying on how users interact with their devices, [3] rather than looking at the unique identifiers of the device, protocol or application levels.

Attack Methodology[edit]

Table: Advanced Deanonymization Methods

CPU-induced Network Latency [4] TCP ISNs and Temperature-induced Clock Skews [5] DRAMA Cross-CPU Attacks [6] Cross-VM CPU Cache Attacks [7] [8] Keyboard/Mouse Input Fingerprinting [9]
Attack Class Covert Channel (network) Covert Channel (network) Covert (local) and Side Channel Covert (local) and Side Channel Behavioral Tracking
Local Compromise Required No No Yes Yes No
Attack Summary CPU load induces a noticeable latency in network packets. CPU load skews the clock crystal frequency; these changes are detectable in the TCP ISN field. Timing of access to the shared memory bank permits data leaks, as well as snooping on keystrokes. Measurement of the shared CPU cache access latency; this leaks timing data concerning cryptographic processes. Timing of/between keystrokes and mouse movement speed/angles creates a unique individual pattern.
Mitigation Queue and release packets randomly with Netfilter. Rewrite TCP ISNs to conceal timer skews. Block clflush and tsc instructions, as well as removing all timers. Further, avoid the multi-threading of VMs, or alternatively use non-interleaved NUMA with pinned vCPUs. Pin vCPUs to separate pCPUs, block tsc instructions, and remove all timers. Abstract keyboard/mouse input into a network layer and the injection of random delays. [10]
Whonix KVM Mitigation No No Production Production Testing
Whonix VirtualBox Mitigation No No No No Testing
Qubes-Whonix Mitigation No No No No No

There are numerous other advanced attacks which have not been included in the above table. The reason is they have easy fixes, such as avoiding some unsafe hypervisor features.

Other Deanonymization Vectors[edit]

High-risk users should familiarize themselves with other attack vectors that can lead to deanonymization or other harmful outcomes.

  • Time-related Attacks: These are in a class of their own. In simple terms, insecure time synchronization and the leaking of time data can result in deanonymization. Although documented separately, time attacks have some overlap with factors outlined here.
  • Tor Ecosystem Attacks: Advanced adversaries are capable of attacking the Tor client, server and/or network (sometimes in combination) to identify users and/or servers in specific situations.

Development[edit]

Footnotes[edit]


No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Do you wonder why Whonix will always be free? Check out Why Whonix is Freedom Software.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix is a trademark. Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix itself. (Why?)

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.