Actions

Template

Verifiable Ovas Introduction


Whonix previously had a feature which allows the community to check that Whonix .ova [1] releases are verifiably created from the project's own source code - verifiable builds. [2] This only proves that the person and machine [3] building Whonix have not added anything malicious, such as a backdoor. [4] It does not prove there are no backdoors present in Debian. This is not possible, because neither Debian [5] nor any other operating system provides deterministic builds yet. [6]

This feature does not attempt to prove there are not any vulnerabilities present [7] in Whonix or Debian. Fatal outcomes are still possible via a remotely exploitable [8] bug in Whonix or Debian, a flaw in Whonix's firewall which leaks traffic, or code phoning home [9] the contents of the HDD/SSD. Community effort is a precondition to improved security with this feature, particularly auditing of Whonix and Debian source code to check for possible backdoors and vulnerabilities.

In summary, this feature is useful and potentially improves security, but it is not a magical solution for all computer security and trust issues. The following table helps to explain what this feature can achieve.

Table: Verifiable Builds Comparison

Whonix Tails Tor Browser Qubes OS TorVM corridor
Deterministic builds [10] No No (planned) [11] Yes [12] No Not applicable [13]
Based on a deterministically built [10] operating system No [14] No [14] Not applicable No [14] No [14]
Verifiably no backdoor in the project's own source code Invalid [15] Invalid [15] Invalid [15] Invalid [15] Invalid [15]
Verifiably vulnerability-free No [16] No [16] No [16] No [16] No [16]
Verifiably no hidden source code [17] in upstream distribution / binaries [18] No [19] No [19] No [19] No [19] No [19]
Project's binary builds are verifiably created from project's own source code (no hidden source code [17] in the project's own source code) No (deprecated) [20] No Yes No Not applicable [13]

Some readers might be curious why Whonix was previously verifiable, while Debian and other distributions are not. In short, this is because Whonix is uncomplicated by comparison. In simple terms, Whonix is a collection of configuration files and scripts, and the source code does not contain any compiled code and so on. In contrast, Debian is a full operating system, without which Whonix would not exist. [21]

This feature was first made available in Whonix 8. Only users who download a new image can profit from this feature. [22] It is not possible to audit versions older than Whonix 8 with this script. [23]

  1. https://en.wikipedia.org/wiki/Open_Virtualization_Format
  2. This feature only adds security if people actually use it. Do not assume that someone else will do it for you
  3. Due to build machine compromise.
  4. https://en.wikipedia.org/wiki/Backdoor_(computing)
  5. Whonix is based on Debian.
  6. Some Debian developers are steadily working on this long-term project, see: Reproducible Builds.
  7. https://en.wikipedia.org/wiki/Vulnerability_(computing)
  8. https://en.wikipedia.org/wiki/Exploit_(computer_security)
  9. https://en.wikipedia.org/wiki/Phoning_home
  10. 10.0 10.1 Open Source software does not automatically prevent backdoors, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge. Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
  11. See Tails Roadmap.
  12. See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
  13. 13.0 13.1 corridor only uses shell scripts.
  14. 14.0 14.1 14.2 14.3 To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has around 22,000 reproducible packages in mid-2018, this work has been ongoing since 2013 and is far from done.
  15. 15.0 15.1 15.2 15.3 15.4 The first form of backdoor is a vulnerability (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploit to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sight in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include: The second form of backdoor is adding the full code (or binary) of a trojan horse (computer virus) to the binary build, while not publishing the extra source code and keeping it secret. This process can only be detected with deterministic builds.
    It is therefore impossible to claim that non-trivial source code is backdoor-free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made.
  16. 16.0 16.1 16.2 16.3 16.4 Although theoretically possible, there are no mathematically proven bug-free operating systems yet.
  17. 17.0 17.1 Hidden source code is defined as code which is added by an adversary. They may have: compromised a build machine, conducted compiling prior to the binary build process, or be responsible for building the actual binary. The secret source code will remain unpublished and it will appear (or be claimed) that the software was built from the published source code. Reliably detecting such hidden code - added on purpose or due to build machine compromise - requires comparison with deterministic builds, which are discussed above. Other methods like watching network traffic are less reliable, since a backdoor can only be spotted when it is used. Backdoors are even less likely to be found through reverse engineering, because very few people are using a disassembler.
  18. The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
  19. 19.0 19.1 19.2 19.3 19.4 No, since the upstream software is not deterministically built. See above to learn about deterministic builds
  20. See verifiable builds.
  21. Whonix relies on the tireless efforts of Debian and other upstream projects.
  22. Because in order to implement the verifiable builds feature, a lot of non-deterministic, auto-generated files are removed at the end of the build process and re-created during first boot.
  23. It is not actually impossible, but it would require significant effort.