Actions

Whonix-Workstation Security

From Whonix

Whonix-Workstation ™ Security Introduction[edit]

Info Tip: Whonix ™ implementation examples are based on Debian. To use a customized Whonix-Workstation ™ VM based on other operating systems, see here. For technical design notes, see here.

If the Whonix-Workstation ™ (anon-whonix) VM is ever compromised, the attacker has access to the data it contains, including all credentials, browser data and passwords. The IP address is never leaked since this requires a compromise of the Whonix-Gateway ™ (sys-whonix) VM, but this information may still result in identity disclosure.

Non-Qubes-Whonix[edit]

Best practice is to:

  1. Keep a clean master copy of the Whonix-Workstation ™ VM.
  2. Make snapshots / clones of the master copy.
  3. Only use the snapshots / clones for Internet activity.
  4. Periodically delete old snapshots / clones.

This way it is possible to 'rollback' -- use a new clean clone / snapshot VM -- after risky activity or if a system compromise is suspected. See the multiple VM Snapshots recommendation below.

Qubes-Whonix ™[edit]

Best practice is to:

  • Use DisposableVMs for all Internet activity; or
  • Periodically delete the Whonix-Workstation ™ AppVM(s) and create fresh instances from the Whonix-Workstation ™ TemplateVM.

AppArmor[edit]

It is recommended to enable the Whonix ™ AppArmor profiles which are available for various applications that are run in either the Whonix-Gateway ™ or Whonix-Workstation ™, such as Tor, Tor Browser, Thunderbird and others. The profiles are easy to apply and provide a considerable security benefit.

File Storage Location[edit]

It is unsafe to store files directly in the root section of the home folder (like /home/user). [1] It is far better to use a sub-folder and store the file there, for example:

  • Non-ideal storage location: /home/user/some-document
  • Safer storage location: /home/user/my-documents/some-document

The following sub-folders in the home directory should also be avoided: [2]

  • ~/tmp
  • ~/Download
  • ~/Downloads
  • ~/download
  • ~/downloads
  • ~/Desktop

If files are downloaded to the ~/Downloads folder -- the only folder available if the Tor Browser AppArmor profile is enforced -- then move them elsewhere. A folder of your own choosing will keep its contents private from any confined application that is later (hypothetically) compromised.

Other folders that should also be avoided include: [3]

  • /media
  • /srv
  • /net

It is easy to choose folder names which are better than the default naming convention. As soon as a user prepends or appends a random number or string to a folder (such as my-), this makes it unlikely that AppArmor profiles or possibly other mandatory access control frameworks will allow access to these folders by default.

Firejail[edit]

Introduction[edit]

According to the Firejail project page: [4]

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Firejail has built-in profiles for a large number of popular Linux programs, including many which are used in Whonix ™. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Dolphin, Evince, Firefox, HexChat, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget. [5]

Launch Firejailed Applications[edit]

Info In Qubes-Whonix ™, create a new Whonix-Workstation ™ AppVM based on any modified, cloned template(s) before running any applications. Never launch applications in the Whonix-Workstation ™ TemplateVM.

To run sandboxed applications, simply prefix the program command with "firejail" in a terminal. For example:

firejail evince
firejail vlc
firejail torbrowser

Running Tor Browser in a Firejail sandbox is recommended because it is an untrusted application with a huge attack surface -- it is frequently and successfully attacked in the wild. [6]

To confirm an application is sandboxed, open a terminal and run.

   firejail --tree

The output should show the application (Tor Browser in this example) is running in a Firejail container.

   XXXX:user:firejail torbrowser
   XXXX:user:/bin/bash /usr/bin/torbrowser
   XXXX:user:bash /home/user/.tb/tor-browser/Browser/start-tor-browser --all
   XXXX:user:./firefox --class Tor Browser -profile TorBrowser/Data/Browse

Additional Firejail Options[edit]

The full list of Firejail command line options can be found in the official documentation. Alternatively, run the following terminal command in Whonix-Workstation ™ (anon-whonix).

man firejail

Firejail has a host of additional security features. For instance, VLC could be run while blocking access to the Internet as follows.

firejail --net=none vlc

Similarly, the following commands would run Firefox or Tor Browser with seccomp restrictions and debug output. [7]

firejail --debug firefox
firejail --debug torbrowser

For a further technical discussion of Firejail containment options, see here. To build a customized Firejail profile for Tor Browser or other applications, follow these steps.

Automatically Prepend Tor Browser with Firejail[edit]

Starting with Whonix ™ 14, users can automatically prepend the Tor Browser binary with Firejail. [8] This setting can be used in either the TemplateVM or TemplateBasedVM (Qubes-Whonix ™: anon-whonix).

TemplateVM[edit]

This is useful in Whonix-Workstation ™ (whonix-ws-15).

Open /etc/torbrowser.d/50_user.conf in an editor with root rights.

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please press on Expand on the right side.

The easiest would be to install these example tools lxsudo mousepad so you can keep copying and pasting these instructions.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the --no-install-recommends lxsudo mousepad package.

sudo apt-get install --no-install-recommends lxsudo mousepad

The procedure is complete.

Alternatively you could also use other tools which may already be installed by default.

gksudo gedit /etc/torbrowser.d/50_user.conf

sudoedit /etc/torbrowser.d/50_user.conf

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/torbrowser.d/50_user.conf

If you are using a terminal-only Whonix, run.

sudo nano /etc/torbrowser.d/50_user.conf

Paste.

tb_starter_bin_pre="firejail"

Save.

TemplateBasedVM[edit]

In Qubes-Whonix ™, this is useful in anon-whonix.

Open /rw/config/torbrowser.d/50_user.conf in an editor with root rights.

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please press on Expand on the right side.

The easiest would be to install these example tools lxsudo mousepad so you can keep copying and pasting these instructions.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the --no-install-recommends lxsudo mousepad package.

sudo apt-get install --no-install-recommends lxsudo mousepad

The procedure is complete.

Alternatively you could also use other tools which may already be installed by default.

gksudo gedit /rw/config/torbrowser.d/50_user.conf

sudoedit /rw/config/torbrowser.d/50_user.conf

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /rw/config/torbrowser.d/50_user.conf

If you are using a terminal-only Whonix, run.

sudo nano /rw/config/torbrowser.d/50_user.conf

Paste.

tb_starter_bin_pre="firejail"

Save.

Debug[edit]

To debug any problems, run.

bash -x torbrowser

Firejail Firefox-ESR in Qubes Debian AppVM[edit]

Ambox warning pn.svg.png Warning: Do not use Firefox-ESR in a Whonix ™ template! It is easily fingerprinted and is less secure than Tor Browser.

It is recommended to clone the Debian TemplateVM before proceeding, as a number of dependencies are installed:

The output should confirm Firefox-ESR is now running in a firejail container.

   XXXX:user:firejail /usr/lib/firefox-esr/firefox-esr

Hardened Malloc[edit]

Introduction[edit]

Hardened malloc ('hardened_malloc') is a hardened memory allocator created by security researcher, Daniel Micay.

According to the author's GitHub description: [9]

This is a security-focused general purpose memory allocator providing the malloc API along with various extensions. It provides substantial hardening against heap corruption vulnerabilities. The security-focused design also leads to much less metadata overhead and memory waste from fragmentation than a more traditional allocator design. It aims to provide decent overall performance with a focus on long-term performance and memory usage rather than allocator micro-benchmarks. It offers scalability via a configurable number of entirely independently arenas, with the internal locking within arenas further divided up per size class.

It is possible to use this as the memory allocator for many applications to increase security.

Discussion related to integration with Whonix can be done in this forum thread.

Install Hardened Malloc[edit]

Hardened malloc is not available in the Debian or Whonix repositories so it must be compiled from source. To do this, it is necessary to install g++ for compilation.

1. Update the package lists.

sudo apt-get update

2. Install g++, and git to clone the repository.

sudo apt-get install g++ git

3. The following block explains how to download and signature verify hardened malloc.

Ambox warning pn.svg.png While git is cryptographically secure, it is not foolproof. See Web of Trust and How safe are signed git tags? Only as safe as SHA-1 or somehow safer? for further information.

Run the following commands in Whonix-Workstation ™ (Qubes-Whonix ™: whonix-ws-15).

Retrieve the signing key. [10]

scurl-download https://github.com/thestinger.gpg

Verify the key fingerprint.

gpg --keyid-format long --with-fingerprint thestinger.gpg

Should show.

gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096/F9E712E59AF5F22A 2012-12-06 [SC]
Key fingerprint = 65EE FE02 2108 E2B7 08CB FCF7 F9E7 12E5 9AF5 F22A
uid Daniel Micay <danielmicay@gmail.com>
uid Daniel Micay <daniel.micay@copperhead.co>
uid Daniel Micay <security@attestation.app>
uid Daniel Micay <security@seamlessupdate.app>
uid Daniel Micay <security@grapheneos.org>
sub rsa4096/7363D2F61FDC8A7F 2012-12-06 [E]

Import the key.

gpg --import thestinger.gpg

Get the source code.

git clone https://github.com/GrapheneOS/hardened_malloc

Navigate to the hardened_malloc folder.

cd hardened_malloc

Always verify software signatures! Check the hardened malloc signature.

git tag --verify 1

Should show.

object d80919fa1e8042a070a3f9b2560ff2ecac8a75da
type commit
tag 1
tagger Daniel Micay <danielmicay@gmail.com> 1562939118 -0400

1
gpg: Signature made Fri 12 Jul 2019 09:45:21 AM EDT
gpg: using RSA key 65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
gpg: issuer "danielmicay@gmail.com"
gpg: Good signature from "Daniel Micay <danielmicay@gmail.com>" [unknown]
gpg: aka "Daniel Micay <security@attestation.app>" [unknown]
gpg: aka "Daniel Micay <security@seamlessupdate.app>" [unknown]
gpg: aka "Daniel Micay <security@grapheneos.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 65EE FE02 2108 E2B7 08CB FCF7 F9E7 12E5 9AF5 F22A

4. Build the program.

This will only take a few seconds, depending on your system's resources.

make

5. Move the hardened_malloc library into /usr/lib

sudo mv libhardened_malloc.so /usr/lib/libhardened_malloc.so

Launch Applications with Hardened Malloc[edit]

To launch applications with hardened malloc the LD_PRELOAD environment variable must be edited before starting the application. For example, to start the Tor Browser in this way, run.

LD_PRELOAD='/usr/lib/libhardened_malloc.so' torbrowser

Launch Systemd Services with Hardened Malloc[edit]

To launch individual systemd services with hardened malloc, add drop a systemd configuration snippet.

Environment="LD_PRELOAD='/usr/lib/libhardened_malloc.so'"

Launch All Applications with Hardened Malloc By Default[edit]

It is possible to make all applications use hardened malloc as its default memory allocator. To do this add the path to the hardened_malloc.so library to file /etc/ld.so.preload.

Open /etc/ld.so.preload in an editor with root rights.

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please press on Expand on the right side.

The easiest would be to install these example tools lxsudo mousepad so you can keep copying and pasting these instructions.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the --no-install-recommends lxsudo mousepad package.

sudo apt-get install --no-install-recommends lxsudo mousepad

The procedure is complete.

Alternatively you could also use other tools which may already be installed by default.

gksudo gedit /etc/ld.so.preload

sudoedit /etc/ld.so.preload

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run.

lxsudo mousepad /etc/ld.so.preload

If you are using a terminal-only Whonix, run.

sudo nano /etc/ld.so.preload

Add.

/usr/lib/libhardened_malloc.so

Save.

This may break many applications such as man, apt or Xorg.

Network Adapters[edit]

Adding a Host-Only Networking Adapter to Whonix-Workstation ™ / SSH into Whonix-Workstation ™[edit]

If accessing the Whonix-Workstation ™ via SSH, some users may consider something dangerous - adding a second network adapter with host-only networking.

Ambox warning pn.svg.png Warning: Never add another network adapter in this manner! It is also potentially dangerous if any other VMs are running except the Whonix-Workstation ™. The reason is that it will expose the MAC address of the host to the Whonix-Workstation ™.

The VMware host-only warning regarding routing and connection sharing may equally apply to Whonix: [11]

If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network. On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.

If it is necessary to SSH or VNC into Whonix-Workstation ™, then use one of these recommended methods:

  • It is safest to do this from another Whonix-Workstation ™. When using VMs, they can see each other if they are within the same virtual LAN. When using Physical Isolation, VMs can see each other if they are within the same LAN.
  • Alternatively, run the services using Onion Services and access them through another Whonix-Workstation ™.

The following methods are not recommended, since they risk weakening isolation between the host and Whonix-Workstation ™:

  • Another alternative is to run the services using Onion Services and access them from the host using ordinary torification methods.
  • A final method is to SSH from the host into Whonix-Gateway ™ (see File Transfer for instructions) and then SSH from there into Whonix-Workstation ™.

Adding a NAT Adapter to Whonix-Workstation ™ / Updates without Tor[edit]

Anonymity is compromised if another NAT network adapter is added to the Whonix-Workstation ™. If this advice is disregarded, then a user's identity is leaked if/when infection occurs. Therefore, it is strongly recommended to always update over the Tor network. Although Tor updating is slow by comparison, it prevents inadvertent leaks.

VM Snapshots[edit]

Apart from offering protection against hardware serial leaks, VMs have another major advantage: the ability to quickly discard and restore a system. This process is easy in Qubes-Whonix ™, since every template-based AppVM used for activities is based on a TemplateVM which is only used for software installation and updates, and nothing else. AppVMs are easily discarded and recreated in a clean state whenever the user requires it. [12] In Non-Qubes-Whonix, greater precaution is required.

Best Practice[edit]

It is strongly recommended the user keep a master copy of the Whonix-Workstation ™ VM which is:

  • Kept updated.
  • Does not have any additional software installed.
  • Does not have any default settings changed.
  • Is not used directly for any activities.

Regular clean snapshots or clones of the master VM should be made for activities that require anonymity. Particular care must be taken that clean and unclean states are never mixed up!

The correct method for the safest operation of Non-Qubes-Whonix is as follows:

  1. Import both VMs into the virtualizer.
  2. Start both the Whonix-Gateway ™ and Whonix-Workstation ™ VMs.
  3. Securely update both VMs.
  4. After the updates have finished, shut down both VMs. Do not browse anywhere or open any unauthenticated communication channels to the internet.
  5. Create snapshots of both VMs in their clean state.
  6. Only use the snapshots for browsing or initiating any external connections.

Note: The only exception made is running apt, since it has a guaranteed way to securely download and verify packages.

Tools[edit]

For important VirtualBox information, please press on Expand on the right.

Ambox warning pn.svg.png Warning: VirtualBox's VM Snapshot feature is recommended against because data loss has been experienced using it. Instead, use clones or other reliable methods outlined below.

Although VirtualBox's snapshot feature is useful when making interim snapshots of live running systems, it is not recommended as a reliable method for backing up VMs. Data loss is possible, primarily in the form of corrupted virtual hard drives (VHDs). Following VHD corruption, reverting can be very painful or even impossible. Alternative methods are copy / paste, cloning, and exporting / importing. These methods reliably provide VM backups, but disk resources are used inefficiently and manual versioning is required.

SubVersioN (SVN) Backup Tool[edit]

SubVersioN is considered the best alternative tool for backing up VM operating environments. It is similar to VirtualBox's snapshot feature, but is much more reliable and efficient. Prior to using it, familiarize yourself with the tool's documentation and design. SVN clients are available for various platforms.

SVN is a tool typically used by software developers to conduct: collaborative configuration management, version control, and backup / restore of file sets under development by many people over extended period of time. Basic functionality of versioning, backing up and restoring changes to sets of files is available. However, SVN is considered superior to CVS, GIT and other options for VM backups, because it does not have any file size limitations by design. Regardless of how big or small the files are, SVN handles them reliably and efficiently. See the following section: "Be patient with large files".

When versioning file sets, SVN employs "atomic commits". By way of comparison, Concurrent Versions System (CVS) does not employ atomic commits. Manual backup procedures are inherently not atomic functions. Additionally, SVN also handles sparse (dynamic) virtual hard disk files, an option VirtualBox offers when instantiating new virtual disk drives.

Similar to VirtualBox's snapshot capability, SVN also takes into consideration differences in files -- both textual and binary -- from version to version. For instance, if a 50 GB virtual hard drive grows by an additional 60 GB over the course of a week, SVN's repository will not necessarily increase by an additional 60 GB when a new backup is performed. The outcome depends on how much of the original file changed since the previous backup. SVN will analyze differences between newer files against older files in its repository and only save the differences. Therefore, the repository may only grow as little as 10 GB+, making more efficient use of system resources.

VirtualBox's snapshot feature provides 'branching' capability. This means it is possible to revert to an earlier version of the VM and start a new branch / version of the VM from where you left off earlier. SVN also provides similar branching capability.

Info Tip: For backups and restores, configuration management tools like SVN require significant additional disk space over and above the size of the file.

For instance, a 50 GB file typically requires approximately 150 GB of disk space to manage that instance of the VM. The reason is you require: 50 GB for the original source file, 50 GB in SVN's database repository, and another 50 GB for SVN's local workspace working folder ('./.svn'). Although this overhead may seem inefficient, it is not when you consider SVN's functionality and reliability in comparison to manual backup methods outlined earlier.

Complete Operating Environment Backups[edit]

In addition to backing up the Whonix-Gateway ™ and Whonix-Workstation ™(s) virtual hard drive files, it is also possible to back up the whole VirtualBox application and Whonix ™ environment for a completely restorable solution. Cloning is another possible option, but that requires more advanced technical skills.

Usually the VirtualBox application that is installed has been provided by Virtualbox.org. However, a portable application version of VirtualBox is available via a tool provided by VBox.me. This application converts VirtualBox's "install application" into a "portable application", thereby providing the option to port VMs to other computers via external USB hard drives and/or sticks. By instantiating VMs under portable VirtualBox's ~/data/.VirtualBox/Machines folder, it is possible to backup and restore the complete operating environment of not only Whonix ™, but also specific instances of VirtualBox and SVN for complete portability. This method captures the entire Whonix ™ operating environment under one parent folder, rather than distributing it across various user and system folders.

Figure: Complete Whonix ™ OS Backup #1

2014-05-11 09 42 19.png

Figure: Complete Whonix ™ OS Backup #2

2014-05-11 09 46 43.png

Figure: Complete Whonix ™ OS Backup #3

2014-05-11 09 54 39.png

Footnotes[edit]

  1. This is because AppArmor profiles (and possibly other mandatory access control frameworks) are often required to grant read access to the root home folder due to technical limitations.
  2. /etc/apparmor.d/abstractions/user-download
  3. /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files
  4. https://firejail.wordpress.com/
  5. https://github.com/netblue30/firejail/tree/master/etc
  6. Tests of Firejail in Whonix ™ with both the latest stable and alpha Tor Browser versions have succeeded.
  7. Preliminary tests of other security features reveals they are not yet functional in Whonix ™, for instance --apparmor, --private, and --overlay-tmpfs. If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a specific profile is not located, a default profile will be used.
  8. https://github.com/Whonix/tb-starter/commit/ca3e4cbaedaaa80a6e92145badf0fcdb3c5b22db
  9. https://github.com/GrapheneOS/hardened_malloc
  10. https://grapheneos.org/install https://github.com/GrapheneOS/hardened_malloc/issues/82
  11. https://www.vmware.com/support/ws4/doc/network_host_ws.html
  12. https://www.qubes-os.org/doc/templates/

No comments for now due to spam. Use Whonix forums instead.


Random News:

Do you wonder why Whonix will always be free? Check out Why Whonix is Freedom Software.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.