Advanced Deanonymization Attacks
This page aims to track and document advanced attacks that also affect virtualized and anonymous systems like Whonix. Attacks discussed here tend to have very high accuracy and are easily feasible to devastating effect. They are mostly about abusing the underlying hardware design to undermine isolation barriers imposed by the software stack above. Exploiting buggy software remains the lowest hanging fruit for network adversaries, however we expect to see them expand their toolbox to include vectors like these because of the low to none chances of discovery.
Some definitions: Side Channels allow a malicious process to spy on events/data outside the VM. Local Covert Channels require collaboration between a malicious VM and an infected victim VM to leak confidential data. Network Covert Channels only require that a compromised VM induce identifiable changes in network traffic that are immediately visible to adversaries that surveil the network. Behavioral tracking (also called biometric tracking) relies on spying on how you interact with your devices rather than looking at the unique identifiers at the device, protocol or application levels.
|CPU-induced network latency||TCP ISNs and temperature induced clock skews||DRAMA Cross-CPU attacks||Cross-VM CPU cache attacks||Keyboard/Mouse input fingerprinting|
|Attack Type||Covert Channel (network)||Covert Channel (network)||Covert (local) and Side Channel||Covert (local) and Side Channel||Behavioral Tracking|
|requires local compromise||No||No||Yes||Yes||No|
|Attack Summary||CPU load induces notice-able latency in network packets.||CPU load skews clock crystal frequency. Changes detectable in TCP ISN field.||Timing shared memory bank accesses allows data leaks also snooping on keystrokes.||Shared CPU cache access latency leaks timing data of crypto processes.||Timing of/between keystrokes and mouse movement speed/angles create individually unique patterns.|
|Mitigation||Queue and release packets randomly with Netfilter.||Rewrite TCP ISNs to conceal timer skews.||Block clflush and tsc instructions. Remove all timers. Avoid multi-threading VMs. Alternatively use non-interleaved NUMA with pinned vCPUs.||Pin vCPUs to separate pCPUs. Block tsc instructions. Remove all timers.||Abstract keyboard/mouse input into a network layer and inject random delays.|
|Fix Stage - Whonix KVM||Near Production||Planning||Production||Production||Planning|
|Fix Stage - Whonix VirtualBox||Near Production||Planning||-||-||Planning|
|Fix Stage - Qubes-Whonix||Near Production||Planning||-||-||Planning|
Time related attacks are a large class of their own, documented separately with some overlap here.
There are other advanced attacks not included in the table above but have had easy fixes such as avoiding some features of the hypervisor.
- Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud newer covert channel attack that needs same conditions of shared CPU cache
- Removing fine-grained timers helps here too.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.