Actions

Whonix-Workstation Security

Whonix-Workstation Security Introduction[edit]


If the Whonix-Workstation VM is ever compromised, the attacker has access to the data it contains, including all credentials, browser data and passwords. The IP address is never leaked, since this requires a compromise of the Whonix-Gateway VM, but this information may still result in identity disclosure.

In Non-Qubes-Whonix:

The best practice is to keep a clean master copy of the Whonix-Workstation VM, make snapshots / clones of the master, and then only use these for internet activity. The user can then 'rollback' (use a new clean clone / snapshot VM) after risky activity, or if they suspect the integrity of the system has been compromised. See the multiple VM snapshots recommendation below.

In Qubes-Whonix:

The best practice is to use DisposableVMs for all your internet activity. Alternatively, periodically delete your Whonix-Workstation AppVM(s) and create fresh instances from the Whonix-Workstation TemplateVM.

Adding a Host-Only Networking Adapter to Whonix-Workstation / SSH into Whonix-Workstation[edit]

If accessing the Whonix-Workstation via SSH, some users may consider something dangerous - adding a second network adapter with host-only networking.


The VMware host-only warning regarding routing and connection sharing may equally apply to Whonix: [1]

If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network. On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.

If it is necessary to SSH or VNC into the Whonix-Workstation, then:

  • It is safest to do this from another Whonix-Workstation. When using VMs, they can see each other if they are within the same virtual LAN. When using Physical Isolation, VMs can see each other if they are within the same LAN.
  • Alternatively run the services using Onion Services and access them through another Whonix-Workstation.
  • Another alternative is to run the services using Onion Services and access them from the host using ordinary torification methods.
  • A final method is to SSH from the host into Whonix-Gateway (see File Transfer for instructions) and then SSH from there into the Whonix-Workstation.


Note: The last two methods are not recommended. They risk weakening isolation between the host and Whonix-Workstation.

Adding a NAT Adapter to Whonix-Workstation / Updates without Tor[edit]

Anonymity is compromised if another NAT network adapter is added to the Whonix-Workstation. If this advice is disregarded, then your identity is leaked if/when infection occurs. Therefore, it is strongly recommended to always update over the Tor network. Although Tor updating is slow by comparison, it prevents inadvertent leaks.

AppArmor[edit]

Strongly consider using the Whonix AppArmor profiles which are available for various programs which run in both the Whonix-Gateway and Whonix-Workstation, such as Tor, Tor Browser, Thunderbird and others. The profiles are easily applied and provide a considerable security benefit.

Firejail[edit]

Introduction[edit]

According to the Firejail project page: [2]

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Firejail has built-in profiles for a large number of popular Linux programs, including many which are used in Whonix. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Dolphin, Evince, Firefox, HexChat, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget. [3]

Installing Firejail[edit]


1. Boot the Whonix-Workstation (whonix-ws) TemplateVM

2. Add jessie-backports to sources.list

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"
Or alternatively use the .onion mirror.
sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

3. Update the Package Lists

sudo apt-get update
4. Install Firejail

sudo apt-get -t jessie-backports install firejail
5. Launch Firejail

Note: In Qubes-Whonix, a new Whonix-Workstation AppVM based on the modified template should be created before running any applications. Never launch programs in your Whonix-Workstation TemplateVM.

To run sandboxed applications, simply prefix your program command with "firejail" in a terminal. For example:

firejail evince

firejail vlc

6. Optional: Use Additional Firejail Command Line Options

The full list of command line options can be found in the official Firejail documentation. Alternatively, run the following command in konsole in the Whonix-Workstation AppVM.

man firejail

The interested reader should note the host of additional security features. For instance, VLC could be run while blocking access to the internet as follows.

firejail --net=none vlc

Similarly, the following commands would run Firefox or Tor Browser with seccomp restrictions and debug output. [4]

firejail --debug --seccomp firefox

firejail --debug --seccomp torbrowser

For a further technical discussion of Firejail, see here.


7. Optional: Automatically Prepend Tor Browser with Firejail

In Whonix 14, users can automatically prepend the Tor Browser binary with Firejail by editing etc/torbrowser.d/50_user.conf and adding the following text. [6]

tb_starter_bin_pre="firejail --seccomp"

Running Firefox-ESR in a Firejail Sandbox (Qubes Debian Template)[edit]



1. Boot the Debian-8 or Debian-9 TemplateVM

2. Follow the Steps to Install Firejail from jessie-backports

3. Create a New Debian-8 or Debian-9 AppVM Based on the Modified Template

4. Launch the Sandboxed Firefox-ESR

In a terminal, run.

   firejail firefox

Note: Refer to the official Firefox Sandboxing Guide for further command line options.

5. Confirm Firefox-ESR is Sandboxed

Open another terminal and run.

   firejail --tree

The output should confirm Firefox-ESR is now running in a firejail container.

   XXXX:user:firejail /usr/lib/firefox-esr/firefox-esr

Sandboxing Tor Browser[edit]

Mitigating the risk of Tor Browser security breaches makes sense, because it is an untrusted application with a huge attack surface; it is frequently and successfully attacked in the wild. Firejail is one easy sandboxing option to restrict the Tor Browser process. [7]

Note: Consider cloning the Whonix-Workstation-TemplateVM prior to installing Firejail. Firejail installs a host of dependencies and users may not want these in the default template.

1. Boot the Whonix-Workstation TemplateVM

2. Follow the Steps to Install Firejail from jessie-backports

3. Create a New Whonix-Workstation-AppVM Based on the Modified Template

Qubes VM Manager -> VM -> Create AppVM

Create Qubes-Whonix-Workstation AppVM.png
[8]

4. Optional Step (Untested): Create a Customized Firejail Profile for Tor Browser

Follow these steps to build a custom profile.

5. Launch the Sandboxed Tor Browser

Open a terminal and run.

   firejail torbrowser

6. Confirm Tor Browser is Sandboxed

Launch Tor Browser in the anon-whonix AppVM. Then open a terminal and run.

   firejail --tree

The output should show Tor Browser is now running in a Firejail container.

   XXXX:user:firejail torbrowser
   XXXX:user:/bin/bash /usr/bin/torbrowser
   XXXX:user:bash /home/user/.tb/tor-browser/Browser/start-tor-browser --all
   XXXX:user:./firefox --class Tor Browser -profile TorBrowser/Data/Browse

VM Snapshots[edit]


Apart from offering protection against hardware serial leaks, VMs have another major advantage: the ability to quickly discard and restore a system. This process is easy in Qubes-Whonix, since every template-based AppVM used for activities is based on a TemplateVM which is only used for software installation and updates, and nothing else. AppVMs are easily discarded and recreated in a clean state whenever the user requires it. [9] In Non-Qubes-Whonix, greater precaution is required.

It is strongly recommended the user keep a master copy of the Whonix-Workstation VM which is:

  • Kept updated.
  • Does not have any additional software installed.
  • Does not have any default settings changed.
  • Is not used directly for any activities.


Regular "clean" snapshots or clones of the master VM should be made for activities that require anonymity. Particular care must be taken that clean and unclean states are never mixed up!

The correct method for the safest operation of Non-Qubes-Whonix is as follows:

  1. Import both VMs into the virtualizer.
  2. Start both the Whonix-Gateway and Whonix-Workstation VMs.
  3. Securely update both VMs.
  4. After the updates have finished, shut down both VMs. Do not browse anywhere or open any unauthenticated communication channels to the internet.
  5. Create snapshots of both VMs in their clean state.
  6. Only use the snapshots for browsing or initiating any external connections.


Note: The only exception made is running apt, since it has a guaranteed way to securely download and verify packages.

For important VirtualBox information, please press on Expand on the right.


Although VirtualBox's snapshot feature is useful when making interim snapshots of live running systems, it is not recommended as a reliable method for backing up VMs. The user risks possible data loss, primarily in the form of corrupted virtual hard drives (VHDs). Reverting can be very painful, or even impossible, following VHD corruption. Alternative methods are copy / paste, cloning, and exporting / importing. These methods reliably provide VM backups, but disk resources are used inefficiently and manual versioning is required.

SubVersioN (SVN) Backup Tool

SubVersioN is considered the best alternative tool for backing up VM operating environments. It is similar to VirtualBox's snapshot feature, but is much more reliable and efficient. Prior to using it, familiarize yourself with the tool's documentation and design. SVN clients are available for various platforms.

SVN is a tool typically used by software developers to conduct: collaborative configuration management, version control, and backup / restore of file sets under development by many people over extended period of time. Basic functionality of versioning, backing up and restoring changes to sets of files is available. However, SVN is considered superior to CVS, GIT and other options for VM backups, because it does not have any file size limitations by design. Regardless of how big or small the files are, SVN handles them reliably and efficiently. See the following section: "Be patient with large files".

When versioning file sets, SVN employs "atomic commits". By way of comparison, Concurrent Versions System (CVS) does not employ atomic commits. Manual backup procedures are inherently not atomic functions. Additionally, SVN also handles sparse (dynamic) virtual hard disk files, an option VirtualBox offers when instantiating new virtual disk drives.

Similar to VirtualBox's snapshot capability, SVN also takes into consideration differences in files - both textual and binary - from version to version. For instance, if a 50 GB virtual hard drive grows by an additional 60 GB over the course of a week, SVN's repository will not necessarily increase by an additional 60 GB when a new back up is performed. The outcome depends on how much of the original file changed since the previous backup. SVN will analyze differences between newer files against older files in its repository and only save the differences. Therefore, the repository may only grow as little as 10 GB+, making more efficient use of system resources.

VirtualBox's snapshot feature provides 'branching' capability. This means one can revert to an earlier version of your VM and start a new branch / version of your VM from where you left off earlier. SVN also provides similar branching capability.

Note: For backups and restores, configuration management tools like SVN require significant additional disk space over and above the size of the file. For instance, a 50 GB file typically requires approximately 150 GB of disk space to manage that instance of the VM because you require: 50 GB for the original source file, 50 GB in SVN's database repository, and another 50 GB for SVN's local workspace working folder ('./.svn'). Although this overhead may seem inefficient, it is not when you consider SVN's functionality and reliability in comparison to manual backup methods outlined earlier.

Complete Operating Environment Backups

In addition to backing up the Whonix-Gateway and Whonix-Workstation(s) virtual hard drive files, it is also possible to back up the whole of the VirtualBox application and Whonix environment for a completely restoreable solution. Cloning is another possible option, but that requires more advanced technical skills.

Typically, the VirtualBox application installed is the one provided by Virtualbox.org. However, a portable application version of VirtualBox is available via a tool provided by VBox.me. This application converts VirtualBox's 'install application' into a 'portable application', thereby providing the option to port VMs to other computers via external USB hard drives and/or sticks. By instantiating VMs under portable VirtualBox's '~/data/.VirtualBox/Machines' folder, it is possible to backup and restore the complete operating environment of not only Whonix, but also specific instances of VirtualBox and SVN for complete portability. This method captures the entire Whonix operating environment under one parent folder, rather than distributing it across various user and system folders:

2014-05-11 09 42 19.png

2014-05-11 09 46 43.png

2014-05-11 09 54 39.png

Footnotes[edit]

  1. https://www.vmware.com/support/ws4/doc/network_host_ws.html
  2. https://firejail.wordpress.com/
  3. https://github.com/netblue30/firejail/tree/master/etc
  4. Preliminary tests of other security features reveals they are not yet functional in Whonix, for instance --apparmor, --private, and --overlay-tmpfs. If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a profile is not found, a default profile will be used.
  5. This must be removed in Whonix 14 and replaced with the method below.
  6. https://github.com/Whonix/tb-starter/commit/ca3e4cbaedaaa80a6e92145badf0fcdb3c5b22db
  7. Firejail has been tested to work with the latest stable and alpha versions of Tor Browser.
    • Create Qubes-Whonix-Workstation AppVM
      • Name and label: Name the AppVM. Don't include any personal information (if the AppVM is compromised, the attacker could run qubesdb-read /name to reveal the VM name). Name the AppVM something generic, for example: anon-whonix.
      • Color: Choose a color label for the Whonix-Workstation AppVM.
      • Use this template: Choose the Whonix-Workstation TemplateVM. For example: whonix-ws.
      • Standalone: Leave the Standalone field unchecked, unless a persistent root filesystem is desired.
      • Type: Choose the type AppVM.
      • Allow networking: Choose the desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix.
      • Press: OK.
  8. https://www.qubes-os.org/doc/templates/

Random News:

Please consider a recurring payment for your Priority Support!


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)