Actions

Anti-Forensics Precautions when using Whonix ™ VMs in Live Mode

From Whonix



Introduction[edit]

Non-Qubes-Whonix ™ users have the option of booting into live mode. When using this feature in Whonix ™ VMs, precautions should still be taken on trusted systems (like GNU/Linux hosts) to prevent leaving traces -- proprietary operating systems such as Windows and macOS are a lost cause.

At the moment there is only one advantage of this configuration compared to running grub-live on the host -- achieving selective amnesia for some virtual machines (VMs) while others remain persistent. This section is a work in progress and not exhaustive.

When Whonix ™ is run as a live system, all changes are written to non-persistent memory (RAM) by default. However, it is possible for this design to be bypassed by malware, swap files, core dumps and other relevant configurations that are in effect. Fortunately, most of these can be disabled. [1] [2] [3] [4]

To prevent malware from remounting the hard drive as read-write it is highly recommended to use read-only hard drive mode. This raises the bar because malware would need to break out of the VM to gain persistence. In order to stymie disk forensics, it is suggested to apply full disk encryption on the host and the computer should be powered off when not in use.

Alternatively or in addition to full disk encryption, the entire host operating system could be run in live mode. In this configuration, all writes are redirected to the non-persistent memory (RAM). Running the host operating system in live mode also mandates a correctly implemented write protection switch; this is not required but highly recommended.

To make memory forensics harder, the machine should be removed from any power source by pulling the power plug. In the case of notebooks, the battery should be removed. [5]

Swap[edit]

Ambox warning pn.svg.png Tails documentation notes that host swapping may be the biggest threat to anti-forensics on Linux when running in a VM; see Security Considerations [archive]. [6]

Disabling Swap for an Entire System[edit]

Turning off swap for the whole system may cause system instability or crashes if the RAM hard limit is reached. However the ample RAM in new systems makes this unlikely and it is worth the tradeoff. [7] Disabling swap also disables the hibernation functionality.

Host[edit]

On the host

1. Disable swap either temporarily or persistently.

The following command will disable swap and delete the file during the life of this session.

sudo swapoff -a

To disable swap in a persistent way, edit the fstab file and comment out the line (using #) with the swap partition.

sudo nano /etc/fstab

2. Save and reboot.

3. Confirm swap is disabled.

To check it is off, run the free command. The swap line should show zeros.

free -h

TODO: the existing swap partition should be securely wiped since sensitive information like encryption keys might have already leaked there.

KVM[edit]

Disabling swapping selectively for KVM VMs

An alternative KVM-only solution is to set guest memory pages as 'locked'. [8] [9]

<memoryBacking><locked/></memoryBacking>

This option is not without disadvantages - it can be abused by malicious guests DoSing the host through RAM exhaustion. [10]

Note: Setting vm.swappiness = 0 does not completely prevent swapping. [11]

Disabling Program Crash Dumps[edit]

Besides swap there is the problem of disabling process memory dumping to disk.

Kernel

A user must go out of their way to enable kernel memory dumps since it is not enabled by default; kdump-tools is utilized in Debian. [12]

Userspace

The default core dump file size is 0 on Debian Linux: [13]

ulimit -c
0

This setting is enforced for systemd-coredump too and can be verified by inspecting the lack of core files in /var/spool or /var/lib/systemd/coredump when an intentional crash is induced (/var/crash does not exist in Debian but it may be available in other Linux distributions). [14]

Disable setuid processes dumping their memory

Processes with elevated permissions (or the setuid bit) might still be able to perform a core dump, depending on your other settings. These processes usually have more access and might contain more sensitive data segments in memory, so they should be changed as well. The behavior can be altered with a sysctl key, or directly via the /proc file system. For permanent settings, the sysctl command and configuration is typically used. A setting is called a ‘key’, which has a related value attached to it (also known as a key-value pair).

To disable programs with the setuid bit to dump, set the fs.suid_dumpable to zero:

sudo su

echo "fs.suid_dumpable=0" >> /etc/sysctl.conf

Reload the sysctl configuration with the -p flag to activate any changes you made.

sysctl -p

Footnotes[edit]

  1. Is there a Whonix ™ Amnesic Feature / Live CD / Live DVD? What about Forensics?
  2. Whonix ™ is not Amnesic
  3. Encrypted Guest Images: Other Security Considerations
  4. Core Dumps
  5. And/or the memory should be wiped upon shutdown. This is a theoretical mechanism at present because it is undocumented. https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix/5596 [archive]
  6. Linux also uses swapping despite having apparent "free" memory. The kernel tends to swap out long-inactive and memory-consuming processes. This frees up RAM for caches and therefore improves responsiveness.
  7. https://superuser.com/questions/243357/how-to-prevent-a-specific-program-from-swapping [archive]
  8. https://serverfault.com/questions/561446/how-can-i-keep-important-vms-in-memory-without-disabling-swap [archive]
  9. https://libvirt.org/formatdomain.html#elementsMemoryBacking [archive]
  10. When set and supported by the hypervisor, memory pages belonging to the domain will be locked in the host's memory and the host will not be allowed to swap them out, which might be required for some workloads such as real-time. For QEMU/KVM guests, the memory used by the QEMU process itself will be locked too: unlike guest memory, this is an amount libvirt has no way of figuring out in advance, so it has to remove the limit on locked memory altogether. Thus, enabling this option opens up to a potential security risk: the host will be unable to reclaim the locked memory back from the guest when it is running out of memory. This means a malicious guest allocating large amounts of locked memory could cause a denial-of-service attack on the host. Due to the risk, this option is discouraged unless your workload demands it. Even then, to mitigate these risks it is strongly recommended to set a `hard_limit` (see memory tuning [archive]) on memory allocation suitable for the specific environment at the same time.
  11. https://superuser.com/questions/760102/why-do-i-get-swapping-even-if-i-set-vm-swappiness-to-0 [archive]
  12. https://www.bentasker.co.uk/documentation/linux/312-installing-and-configuring-kdump-on-debian-jessie [archive]
  13. https://nanxiao.me/en/enable-generating-core-dump-file-on-debian-linux/ [archive]
  14. https://linux-audit.com/understand-and-configure-core-dumps-work-on-linux/#linux-and-core-dumps [archive]

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues [archive] and development forum [archive].

https [archive] | (forcing) onion [archive]
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Monero donate whonix.png