Advanced Deanonymization Attacks

From Whonix

Advanced deanonymization1231.jpg


This page aims to track and document advanced attacks [1] that also affect virtualized and anonymous systems like Whonix ™. Attacks discussed below tend to have a very high accuracy rate and can easily have devastating impacts upon anonymity. The common thread to these attacks is abuse of the underlying hardware design to undermine isolation barriers imposed by the software stack operating above it. [2] Exploiting buggy software remains the lowest hanging fruit for network adversaries. It is expected they will further expand their toolbox and more regularly utilize these vectors, since the chances of discovery are minimal to none.

Attack Definitions[edit]

Table: Common Attack Vectors causing Data Leakage

Attack Vector Description
Biometric Tracking Behavioral tracking (also called biometric tracking) relies on spying on how users interact with their devices, [3] rather than looking at the unique identifiers of the device, protocol or application levels.
Local Covert Channels Local covert channels [archive] require collaboration between a malicious VM and an infected victim VM to leak confidential data.
Network Covert Channels Network [archive] covert [archive] channels [archive] only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network.
Side Channels Side channel attacks [archive] allow a malicious process to spy on events/data outside the VM.

Attack Methodology[edit]

Advanced Remote Deanonymization Methods[edit]

Table: Advanced Remote Deanonymization Methods

CPU-induced Network Latency [4] TCP ISNs and Temperature-induced Clock Skews [5] Keystroke Deanonymization [6] Mouse Fingerprinting
Attack Class Covert Channel (network) Covert Channel (network) Behavioral Tracking Behavioral Tracking
Attack Summary CPU load induces a noticeable latency in ICMP network packets. [7] CPU load skews the clock crystal frequency; these changes are detectable in the TCP ISN field. Timing of/between keystrokes creates a unique individual pattern. Timing of/between mouse movement speed/angles creates a unique individual pattern.
Mitigation Add random delays per ICMP packet with tc-netem or block the protocol on host. No mitigation needed for Whonix - Tor is TCP only. Attack doesn't work on TCP and tc-netem causes visible latency for streams when traffic is induced, harming anonymity and performance. [8] Rewrite TCP ISNs to conceal timer skews. Abstract keyboard input into a network layer and the injection of random delays. [9] Abstract mouse input into a network layer and the injection of random delays. [9]
Whonix ™ KVM Mitigation Unneeded [8] Production [10] Production [11] No
Whonix ™ VirtualBox Mitigation Unneeded [8] Production [10] Production [11] No
Qubes-Whonix ™ Mitigation Unneeded [8] No [12] No [12] No

Advanced Local Deanonymization Methods[edit]

Table: Advanced Local Deanonymization Methods

DRAMA Cross-CPU Attacks [13] Cross-VM CPU Cache Attacks [14] [15]
Attack Class Covert (local) and Side Channel Covert (local) and Side Channel
Attack Summary Timing of access to the shared memory bank permits data leaks, as well as snooping on keystrokes. Measurement of the shared CPU cache access latency; this leaks timing data concerning cryptographic processes.
Mitigation Block clflush and tsc instructions, as well as removing all timers. Further, avoid the multi-threading of VMs, or alternatively use non-interleaved NUMA with pinned vCPUs. Pin vCPUs to separate pCPUs. Proper mitigations are added by upstream crypto lib projects when attacks are discovered.
Whonix ™ KVM Mitigation No [16] Production
Whonix ™ VirtualBox Mitigation No No
Qubes-Whonix ™ Mitigation No No

Other Advanced Deanonymization Attacks[edit]

There are numerous other advanced attacks which have not been included in the above table. The reason is they have easy fixes, such as avoiding some unsafe hypervisor features.

Other Deanonymization Vectors[edit]

High-risk users should familiarize themselves with other attack vectors that can lead to deanonymization or other harmful outcomes.

  • Time-related Attacks: These are in a class of their own. In simple terms, insecure time synchronization and the leaking of time data can result in deanonymization. Although documented separately, time attacks have some overlap with factors outlined here.
  • Tor Ecosystem Attacks: Advanced adversaries are capable of attacking the Tor client, server and/or network (sometimes in combination) to identify users and/or servers in specific situations.



text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues [archive] and development forum [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.