Actions

Dev/Advanced Deanonymization Attacks

From Whonix

< Dev

Covert Channels[edit]

This page is a brain-dump all known covert channels and mitigation ideas. A brushed up version for users will be written later when countermeasures are deployed.

See also:
Advanced Deanonymization Attacks

ticket:
Covert Channels Meta Ticket

Topics[edit]

Intro

choices: Some can be eliminated outright, Other channels need to be degraded sufficiently). Good news is it is possible to defend against them all but not without cost.


All problems linked (keystroke dynamics, cpu-induced network latency, TCP ISN CPU temp-induced timer skew, DRAMA cross-vm keystroke monitoring, cpu-cache crypto sidechannels).

covert channels are part of TEMPEST category of attacks. Cryptographers had to deal with them forever but they pose serious problems for systems aiming to isolate untrusted malicious processes. They can be classified as snooping on activity outside a VM or being able to communicate secretly with the outside world.


keystroke fingerprinting:


Excellent paper on covert channels in general:

https://www.usenix.org/legacy/events/sec06/tech/shah/shah_html/jbug-Usenix06.html

cpu stress solution for keystrokes? not effective


Question: How to delay keystrokes?:

https://stackoverflow.com/a/33134735

Answer: funnel all system input events through a local network interface which you inject random latency in. On host so its system wide.

uinput is the kernel input device API but needs C expertise to write a program to do this directly.


usbip? - in mainline. --Not a solution for PCI input devices - most of PCs.

network latency: iperf stress tool or Ethan's netfilter_queue soltion

alternatives: https://superuser.com/questions/67659/linux-share-keyboard-over-network https://unix.stackexchange.com/questions/46363/share-keyboard-over-network-as-separate-device https://github.com/Blub/netevent/wiki/Share-devices-over-the-net

netevent cobbles netcat host/client together. set on loopback. Run as service with client as localhost. Apply netfilter_queing on loopback to introduce random delays. Pros: kernel solution, display server agnostic. (It uses uinput interface to capture all events)


New research results on obfuscation - no working tool. Contact them and ask if they can write one?

https://github.com/vmonaco/keystroke-obfuscation

https://github.com/vmonaco/keystroke-obfuscation/issues/1



block tcp isn firewall? rewrite tcp isn?

Not possible and needed for security anyway. Are a part of all modern OSs

https://events.ccc.de/congress/2006/Fahrplan/attachments/1211-23c3hotornotpres.pdf

https://events.ccc.de/congress/2006/Fahrplan/events/1513.en.html

https://events.ccc.de/congress/2005/fahrplan/events/798.en.html

http://sec.cs.ucl.ac.uk/users/smurdoch/talks/eurobsdcon07hotornot.pdf


https://www.lightbluetouchpaper.org/2006/09/04/hot-or-not-revealing-hidden-services-by-their-clock-skew/


23C3 Slide 30:

Run CPU at full load Inefficient and must be done with care since different types of tasks can have varying temperature ef- fects

CPU stress must be full load - (what about c-states and temp? Is there a technique less damaging to hardware?) - mitigation for TCP ISN. Maintains constant CPU temperature hence foils skew patterns in timers/crystal clock.

on host out of reach of malicious code in vm.


cpu activity induced latency:

QoS solution by Ethan White

Concept originally proposed in 23C3 slides and has now been realized.

Status: Awaiting deployment as a host and GW package.



very dangerous - process in anon vm can sniff keystrokes in other vms unmasking and stealing user data. /Scenario: JS in browser can pull this off:

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/pessl

Test PoC: https://github.com/IAIK/drama

memory stress - DRAMA attack mitigation

stress-m2 in parallel (i.e., the attacker’s core is under stress) made any measurements impossible. While no false positive detections occurred, only 9 events were correctly detected. Thus, our attack is susceptible to noise especially if the attacker only gets a fraction of CPU time on its core.


NUMA combined with CPU pinning also described as valid mitigation. Problem is NUMA environments exist for server systems only for the most part.

on host out of reach of malicious code in vm.


"In this attack, the spy and the victim can run on sepa- rate CPUs and do not share memory, i.e. , no access to shared libraries and no page deduplication between VMs. "


crypto side channels:

vcpu pinning to physical to guarantee no cross cache attacks on cryptoand make other attacks harder.

See also:
Advanced Deanonymization Attacks

ticket:
Covert Channels Meta Ticket


No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.