- 1 Operating System
- 1.1 Introduction
- 1.2 Why don't you use <your favorite most secure operating system> for Whonix?
- 1.3 Switch from Ubuntu to Debian
- 1.4 About Debian
- 1.5 Comparison of Hardening Compile Flags
- 2 See Also
- 3 Footnotes
This chapter applies to the host(s), Whonix-Gateway and Whonix-Workstation.
Whonix Example Implementation is currently based on Debian. There were development discussions about switching to BSD, Alpine Linux or other secure operating systems.
Whonix can't protect against malicious code inserted into upstream operating system infrastructure. Debian ensures some chain of trust as it requires contributors to sign commits.
Why don't you use <your favorite most secure operating system> for Whonix?
Why do you use Debian, and not...
The operating system must have
- acceptable usability
- must be somewhat popular, because only that leads to sufficient public scrutiny and enough available documentation.
- For redistribution of Whonix, there may also not be any legal/trademark issues such as with Ubuntu. (See "Switch from Ubuntu to Debian" chapter below).
- Must have a secure operating system updater (package manager), i.e. must not fall through the TUF Threat Model (w). Not having a secure updater is very dangerous (w).
- Source based distributions take a long time for upgrading and installation of packages, which users complain about. The same or even better security characteristics can be reached with deterministic (reproducible) builds.
Debian is a good compromise of security and usability.
By the way, this chapter won't only include examples which fall through Whonix's threat model.
OpenBSD is recommended against, because it completely falls through the Whonix threat model, see FAQ entry: Why aren't you using OpenBSD, it is the most secure OS ever!!!1!
Ubuntu is not used as Whonix-Gateway/Workstation operating system for legal reasons (see below) and was lately negatively perceived due to privacy issues, so it is recommended against to use it as host operating system as well.
Mac OS X
Mac OS X can not be used for legal reasons. Even if that were not a problem, it is still a proprietary, closed source operating system, We don't like their attitude and how they (not) communicate with the security community. Also see: Apple Took 3+ Years to Fix FinFisher Trojan Hole.
Fedora yet did not fall through Whonix's threat model and could be considered as host and future or alternative Whonix-Gateway/Workstation operating system. Also Qubes OS, an operating system focusing on security by isolation, is based on Fedora. Started considering it, help welcome, see Dev/Fedora.
Implemented as Qubes-Whonix.
Gentoo / Hardened Gentoo
Insecure package manager. Back then bug reports got closed down without much regard.
- https://github.com/Whonix/Gentoo-Port/issues/19 - https://bugs.gentoo.org/show_bug.cgi?id=539954
- https://github.com/Whonix/Gentoo-Port/issues/10 - https://archives.gentoo.org/gentoo-portage-dev/message/94425239fcaedcee6c49ef398f12aa85
- [gentoo-portage-dev] Security and Comparison of Portage with other Package Managers: https://archives.gentoo.org/gentoo-portage-dev/message/bda425ee6c676ec7a6b3c9500a9b00bf
- [gentoo-portage-dev] Portage and Update Security: https://archives.gentoo.org/gentoo-portage-dev/message/94425239fcaedcee6c49ef398f12aa85
In this regard, Hardened Gentoo does not differ from Gentoo.
Due to the way these bug reports were handled, Gentoo was removed from the candidates of secure base operating systems.
Why not use a minimal Linux distribution? See Why are the Whonix images so big? There might be more secure operating systems, such as Hardenend Gentoo, but in Patrick's opinion mortal users are unlikely to learn how to use them. More paranoids (and others) are welcome to use them for example as host operating system and leave feedback. Patches/ports welcome! 
At first sight it looks like alpine's package manager suffers from the same issues as gentoo's. (Being vulnerable to indefinite freeze and downgrade attacks.) TODO research
The question to ask is "Does the package manager pass the TUF Threat Model?"
The Update Framework (TUF) - Attacks and Weaknesses:
(Made by similar people who created this research:
which resulted as far as I understand in greatly improved package manager security in many distributions.)
One can ask the TUF people, who are in my experience very friendly and helpful, for their opinion on their mailing list:
TODO: Check its package manager security. (See above.)
Switch from Ubuntu to Debian
Beginning from 0.4.4, Whonix Example Implementation is based on Debian. Previously it was based on Ubuntu. From technical view, Ubuntu was a good choice, see About Ubuntu if you are interested.
The switch was due to Ubuntu Trademark issues, see About Ubuntu Trademark. The terms are long and complicated. Since Whonix's changes are beyond a remix (as defined by Ubuntu Licensing), Whonix would either to have to ask for a license, which they reserve to revoke. Such a legally insecure state is not acceptable. Or Whonix would have to rebrand Ubuntu. It would be possible in theory, but in practice it would require a lot work to remove all Ubuntu strings. Even new apt mirrors would be required, which is much beyond the manpower of the Whonix project.
Debian is much more free. According to Debian project leader Stefano Zacchiroli (in private mail), there are no trademark issues as long as the derivative does not claim to be Debian. That is easy to fulfill.
Derivatives of Debian are even encouraged to use Debian infrastructure, see Derivatives/Guidelines. Debian even supports derivatives. There is a lot documentation, see Derivatives and even a debian-derivatives mailing list.
Whonix is based on Debian.
Reasons for being based on Debian:
- stable distribution
- exists for years
- will likely still be around in 10 years
- attempts to sow dissent failed 
- massive architecture support 
- secure package manager
- As per checksec.sh --kernel, reports good kernel protection: GCC stack protector support, enforce read-only kernel data, restrict /dev/mem and /dev/kmem access are all enabled.
- http://snapshot.debian.org, hosted and signed by a trusted third party (Debian) , allows implementation of robust build scripts  and Verifiable Builds
- config-package-dev allows creation of robust configuration packages
- grml-debootstrap is a tool that allows creation of bootable raw images
- Debian is working on ReproducibleBuilds
- huge knowledgeable community of Debian and their derivative users (stackexchange, debian forums, askubuntu and many more)
- Debian Developers are very approachable at conferences
- Tor has ties to Debian.
- No legal/trademark issues.
Related statements from the FAQ reasoning why Debian is the base for Whonix Example Implementation:
- Why are the Whonix images so big?
- Why not use a Live CDs as Whonix-Workstation operating system?
- Why is KDE (big) the default desktop environment? Why not use a minimal DE?
- Why aren't you using OpenBSD, it is the most secure OS ever!!!1!
General explanation, why so many distributions are based on Debian:
- Debian APT Key Revocation Procedure
- How (un)safe would Debian be when only using the security.debian.org repository?
Why is Whonix based on Debian Stable, not Debian Testing?
- Sometimes severe bugs are introduced in Debian testing, such as the AppArmor bug, which prevented Tor from starting for everyone until a workaround was applied.
- Sometimes bugs are introduced which break Whonix's build script, such as this bug related to mount, which breaks grml-debootstrap and therefore Whonix's build script or this kpartx bug.
- Often other disturbing bugs are introduced, such as the grub bug (not able to reproduce and report upstream yet), non-functional VirtualBox Guest Additions or issues with shared folders.
- Sometimes packages get entirely removed from Debian testing, such as enigmail wasn't available for a while in Debian testing. This is confusing and constantly creating support requests.
- Too often, too many packages are upgraded (not just security fixes) (costs lots of time to keep up, bandwidth, system load).
- obfs3 (obfsproxy 0.2.3) is available again in torproject's repository.
- Quote, Debian Security FAQ:
If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
- Debian stable receives security fixes faster than Debian testing. For example, by 12/15/2016 Debian jessie was Debian stable and Debian stretch was Debian testing. CVE-2016-1252 was fixed in Debian stable but not in Debian testing, see Debian security tracker by 12/15/2016.
The Debian popularity-contest (popcon) package does not get installed on Whonix. Installing it gets prevented by the anon-banned-packages package.
Some privacy considerations and reasons why it is not installed:
- The connection would obviously need to go over its own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probably works though TransPort, but we don't know if it can be torified for proper stream isolation.
- (From the popcon readme) "Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf)." - This would allow to enumerate a quite good guess about the amount number of Whonix users. We are not sure if sourceforge could already have an insight about that (due to Whonix News File downloads, see whonixcheck) or about any other negative implications.
- MY_HOSTID would probably get created at Whonix build time and all Whonix users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot of Whonix.
- Popcon runs at a random day. Good.
- If the machine is powered on: it runs at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor which would likely be a Whonix user.
- If the machine is powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized.
The transmission is not encrypted, see popularity-contest should encrypt contents and it is not planned to encrypt it. Malicious Tor exit relays could modify the transmission, but this is only a minor issue. Such malicious Tor exit relays could send fake transmissions on their own.
- It is questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit relays. There is potential for electoral fraud.
For these reasons it is not a good idea to add popcon to Whonix. If you have suggestions or a different view, please get in contact.
Comparison of Hardening Compile Flags
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/curl RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/gpg RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/gpg2 RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/sed RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /bin/grep RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/tor RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /bin/bash RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/bin/gwenview RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/lib/iceweasel/iceweasel RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/lib/icedove/icedove
Securix (a derivative of Hardened Gentoo):
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/curl Error: Not an ELF file: /usr/bin/gpg: symbolic link to gpg2 RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/gpg2 RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /bin/sed RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /bin/grep RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/bin/tor RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /bin/bash TODO /usr/bin/gwenview RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/lib64/firefox/firefox RELRO STACK CANARY NX PIE RPATH RUNPATH FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/lib64/thunderbird/thunderbird
- Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks
Examples of usability issues.
emerge firefox * There is NOT at least 4 GiB disk space at "/var/tmp/portage/www-client/firefox-31.5.0/temp"
What to do? Increase tmpfs size as per http://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs.
- Debian is Free. Imagine how much money that must cost proprietary competiors from whom not all of them necessarily play by the law.
- Not just i386, amd64 and perhaps arm. Should any platform become "evil", Debian as the universal operating system offers options and is most likely to port to new platforms.
- From perspective of Whonix.
- Build script won't break due to upstream repository changes.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.