Jump to: navigation, search

Template:Verifiable Ovas Introduction

Whonix has a feature which allows the community to check that Whonix .ova[1] releases are verifiably created from project's own source code. We call this verifiable builds. This only proves that the person and machine[2] building Whonix has added nothing malicious, such as a backdoor[3]. It doesn't prove, that there are no backdoors in Debian. This isn't possible, because neither Debian[4] nor any other operating system provides deterministic builds yet.[5] Rather this feature is no attempt to proof, that there aren't any vulnerabilities[6] in Whonix's or Debian. A remotely exploitable[7] bug in Whonix or Debian, a flaw in Whonix's firewall leaking traffic or code phoning home[8] the contents of your harddrive would still be fatal. A precondition so this feature can improve overall security is, that the community is auditing Whonix's and Debian's source code for being free of backdoors and vulnerabilities in the first place. In summary, we believe this feature is useful and can improve security, but however isn't a magical answer to all computer security and trust questions. The following table hopefully helps understanding what this feature achieves.

Whonix Tails Tor Browser Qubes OS TorVM corridor
Deterministic Builds[9] No No Yes [10] No Not applicable. [11]
Based on a Deterministically Built[9] Operating System No [12] No [12] Not applicable. No [12] No [12]
Verifiably no backdoor in the project's own source code Invalid [13] Invalid [13] Invalid [13] Invalid [13] Invalid [13]
Verifiably vulnerability[14] free No [15] No [15] No [15] No [15] No [15]
Verifiably no hidden source code[16] in upstream distribution/binaries[17] No [18] No [18] No [18] No [18] No [18]
Project's binary builds verifiably created from project's own source code (no hidden source code[16] in the project's own source code) No (Deprecated.) [19] No Yes No Not applicable. [11]

You might be curious, why Whonix is verifiable while neither Debian nor any other operating system is? This is because Whonix is very simple, to oversimplify it: Whonix is just a collection of configuration files and scripts, i.e. Whonix's source code does not contain any compiled code etc. On the other hand, Debian is a full operating system. And of course, without the great work of the Debian project and all the upstream projects, Whonix wouldn't exist.

This feature was first available with Whonix 8. Only users who download a new image can profit from this feature. Auditing versions older than Whonix 8 with this script is not possible.[20] [21]
  1. https://en.wikipedia.org/wiki/Open_Virtualization_Format
  2. Due to build machine compromise.
  3. https://en.wikipedia.org/wiki/Backdoor_(computing)
  4. Whonix is based on Debian.
  5. Some Debian developres are working on it, see Reproducible Builds.
  6. https://en.wikipedia.org/wiki/Vulnerability_(computing)
  7. https://en.wikipedia.org/wiki/Exploit_(computer_security)
  8. https://en.wikipedia.org/wiki/Phoning_home
  9. 9.0 9.1 Open Source does not automagically prevent backdoors, unless the user creates its own binaries from source code itself. The ones who compile, upload and distribute (also the webhost) the binaries could add a hidden code without publishing the backdoor code. Nothing prevents one to claim, that a certain binary has been built from a clean source code, while the binary was actually built by the source code plus the backdoor code. Also the ones who may have infected the build machine with a backdoor are in position to add a backdoor without the distributor being aware of it. Deterministic builds can detect backdoors. For more information on deterministic builds and why this is important, see:
  10. See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
  11. 11.0 11.1 Just shell scripts.
  12. 12.0 12.1 12.2 12.3 To be fair, there are no deterministically built operating system yet. It would take lots of effort to create one and its far from easy. There is work going on in Debian about reproducible builds, but it's far from done.
  13. 13.0 13.1 13.2 13.3 13.4 A backdoor can either be a vulnerability as in a bug in the source code. Vulnerabilities can get introduced by accident (human error) or on purpose. Once the software has been deployed and the vulnerability has been found, it might happen, that an attacker uses an exploits to gain unauthorized access. Such vulnerabilities (or purposely planted backdoors) can, with cleverness, be planted in Open Source code plain sight, while being very difficult and unlikely to be spotted by people looking at the code. Examples: Another form of a backdoor is adding the full code (or binary) of trojan horse (computer virus) to the binary build, while not publishing the extra source code and keeping that secret code. The latter, can only be detected with Deterministic Builds, which are discussed above.
    Therefore it is impossible to claim that non-trivial source code is backdoor free, because a backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state their opinion about the quality of the source code and eventually report a vulnerability. It can only be reasonably easily checked, if the source code is free of computer viruses (for example, trojan horses), not backdoors.
  14. https://en.wikipedia.org/wiki/Vulnerability_(computing)
  15. 15.0 15.1 15.2 15.3 15.4 Although possible (in theory?), there are no mathematically proven bug free operating systems yet.
  16. 16.0 16.1 Hidden source code is defined as code, which gets added by an adversary, who compromised a build machine or by the person who builds (compiled) a binary builds before building the binary build. The secret source code will not be published and it will look like (or claimed) that the software was built from the source code, which has been published. The most reliable method to detect such hidden code (added on purpose or due to build machine compromise) is to compare Deterministic Builds, which are discussed above. (Other methods, such watching the traffic, only have good chances to spot a backdoor, when the backdoor is used in many cases. Even less likely backdoors are found through reverse engineering, because very few people are using a disassembler.
  17. The upstream distribution is the distribution on which the project is based on. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which itself is based on Fedora and Xen.
  18. 18.0 18.1 18.2 18.3 18.4 No, since the upstream software is not deterministically built. See above to learn about Deterministic Builds.
  19. See Trust#Verifiable Builds.
  20. Not possible doesn't mean impossible here. Would just involve lots of work.
  21. Because in order to implement the verifiable builds feature, we need to get rid of lots of non-deterministic auto-generated files at the end of the build process and to re-create them during first boot.