Actions

Whonix ™ Live Mode

From Whonix

About this Whonix Live Page
Support Status testing
Difficulty medium
Maintainer Algernon
Support Support

Introduction[edit]

Users can optionally run Whonix ™ as a live system, [1] but this is only available in Non-Qubes-Whonix. Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.

There are two live mode options available, grub-live and ro-mode-init.

  • grub-live: a new boot menu entry is created which must be selected manually, but it is a better failsafe and hence the recommended option.
  • ro-mode-init: the boot menu stays the same and the system automatically boots into live mode when it detects a read-only disk, otherwise it boots normally into persistent mode. The advantage of using this approach is that malware running in a VM cannot silently change settings to leave persistent traces.[2]

Warning[edit]

Ambox warning pn.svg.png By itself, live mode is not amnesic and extra steps must be performed on the host to be effective. Memory forensics has also not been taken into account! The primary objective is preventing malware from gaining persistence and having an unchanged system after each reboot.

  • Whonix-Workstation ™ and Whonix-Gateway ™: It is also recommended to regularly boot into persistent mode for installation of updates.
  • Whonix-Gateway ™: If live mode is used with Whonix-Gateway ™, regularly booting into persistent mode is important to keep Tor's normal guard rotation schedule.

When Whonix ™ is run as a live system, all changes are written to RAM by default. However, it is possible for this design to be bypassed if swap files, core dumps and other relevant configurations are in effect. Fortunately, most of these can be disabled. [3] [4] [5] [6]

To stymie disk forensics, ideally full disk encryption should be applied on the host and the computer should be powered off when not in use. Alternatively the whole host OS could be run from RAM, or a live system run on the host with all writes going to RAM. The latter method also requires a correctly implemented write protection switch.

To make memory forensics harder, the machine should either be removed from any power source (by pulling the plug / removing the battery) and/or the memory should be wiped upon shutdown.

Info Tip: Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.

Anti-Forensics Precautions[edit]

Introduction[edit]

Whonix ™ 15 includes grub-live by default. When using this feature in Whonix ™ VMs, some precautions need to be taken even on trusted systems like GNU/Linux hosts to prevent leaving traces (proprietary OSes are a lost cause). At the moment there is only one advantage of this configuration compared to running grub-live on the host -- achieving selective amnesia for some VMs while others remain persistent. This may not be necessary in the future if grub-live development continues to advance and it allows for selective exemption of host directories. This section is a work in progress and not exhaustive.

Swap[edit]

[7] [8]

Disabling swap for an entire system

Turning off swap for the whole system may cause system instability or crashes if the RAM hard limit is reached. However the ample RAM in new systems makes this unlikely and it is worth the tradeoff.[9] Disabling swap also disables the hibernation functionality.

Host[edit]

On the host

The following command will disable swap and delete the file during the life of this session.

sudo swapoff -a

To disable swap in a persistent way, edit the fstab file and comment out the line (using #) with the swap partition.

sudo nano /etc/fstab

Save and reboot.

Confirm it is off by checking the free command. The swap line should show zeros.

free -h

TODO: the existing swap partition should be securely wiped since sensitive information like encryption keys might have already leaked there.

KVM[edit]

Disabling swapping selectively for KVM VMs

An alternative KVM-only solution is to set guest memory pages as 'locked'. [10] [11]

<memoryBacking><locked/></memoryBacking>

This option is not without disadvantages - it can be abused by malicious guests DoSing the host through RAM exhaustion. [12]

Note: Setting vm.swappiness = 0 does not completely prevent swapping. [13]

grub-live on Whonix-Gateway ™[edit]

It is recommended to also run the live package on Whonix-Gateway ™ after the initial Tor start when a guard has been set. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:

  • Consensus files: These files will be (re-)downloaded more frequently.
  • Tor guards: When switching to a new guard after some months have passed. [14]

Disabling Program Crash Dumps[edit]

Besides swap there is the problem of disabling process memory dumping to disk.

Kernel

A user must go out of their way to enable kernel memory dumps since it is not enabled by default; kdump-tools is utilized in Debian. [15]

Userspace

The default core dump file size is 0 on Debian Linux: [16]

ulimit -c
0

This setting is enforced for systemd-coredump too and can be verified by inspecting the lack of core files in /var/spool or /var/lib/systemd/coredump when an intentional crash is induced (/var/crash does not exist in Debian but it may be available in other Linux distributions). [17]

Disable setuid processes dumping their memory

Processes with elevated permissions (or the setuid bit) might still be able to perform a core dump, depending on your other settings. These processes usually have more access and might contain more sensitive data segments in memory, so they should be changed as well. The behavior can be altered with a sysctl key, or directly via the /proc file system. For permanent settings, the sysctl command and configuration is typically used. A setting is called a ‘key’, which has a related value attached to it (also known as a key-value pair).

To disable programs with the setuid bit to dump, set the fs.suid_dumpable to zero:

sudo su

echo "fs.suid_dumpable=0" >> /etc/sysctl.conf

Reload the sysctl configuration with the -p flag to activate any changes you made.

sysctl -p

Live-mode Configuration[edit]

Qubes[edit]

grub-live is currently unsupported on Qubes, but may become available in the future. Refer to the following forum discussion for further information.

In Qubes R4, Qubes DisposableVMs are a suitable alternative, as well as the Qubes Live USB.

VirtualBox[edit]

1. Backup.

  • Option 1: Create a snapshot of your VM; or
  • Option 2: Alternatively backup the /boot folder.

sudo cp -a /boot /boot.back

2. Install grub-live.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the grub-live package.

sudo apt-get install grub-live

The procedure is complete.

3. Launch the live system.

Following reboot, a second boot entry called "Whonix ™ Live-mode" will be visible. Simply press Enter to boot the live system and use it as normal.

4. Set the VM disks to read-only.

This setting increases security, because otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way. Follow these steps:

  • Power off the machine.
  • Set the disk to read-only.
    • "vmname" below is the name of your virtual machine, for example Whonix-Gateway ™.
    • On the command line, run.

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly" 1

5. Optional: Revert the read-only change.

To boot into normal mode again, run this command to revert the change.

VBoxManage setextradata vmname "VBoxInternal/Devices/lsilogicsas/0/LUN#0/AttachedDriver/Config/ReadOnly"

The normal boot option can now be selected in the GRUB menu.

KVM[edit]

1. Backup.

  • Option 1: Create a snapshot of your VM; or
  • Option 2: Alternatively backup the /boot folder.

sudo cp -a /boot /boot.back

2. Install grub-live.

Update the package lists.

sudo apt-get update

Upgrade the system.

sudo apt-get dist-upgrade

Install the grub-live package.

sudo apt-get install grub-live

The procedure is complete.

3. Launch live-mode.

Following reboot, a second boot entry called "Whonix ™ Live-mode" will be visible. Simply press Enter to boot the live system and use it as normal.

4. Set the VM disks to read-only.

This increases security, since otherwise malware running as root in the VM could theoretically mount the image read-write and gain persistence in this way. Follow these steps:

  • Power off the machine.
  • Set the hard disk to read-only in the virt-manager GUI before booting into live mode.
  • To boot into normal mode again, simply revert this change and choose the normal boot option in the GRUB menu.

Alternative Configurations[edit]

Ambox warning pn.svg.png Skip this section if the KVM Live-mode or Virtualbox Live-mode configuration steps above have already been completed.

Virtualbox and KVM:

VirtualBox only:

Debugging/Errors[edit]

An inconsistent filesystem will likely result in errors during live-boot. For instance, inconsistencies can arise when the VM is killed instead of performing a normal shutdown in persistent mode. Therefore to ensure it is consistent, run fsck in persistent mode. Debian automatically does this during boot. VMs running in live mode can be killed without problems.

In the case of non-fsck related errors using ro-mode-init (like dropping to an initramfs shell), add the following to the kernel command line/GRUB menu for easier debugging:

debug=1 break=init-premount

Miscellaneous[edit]

In the future, running Whonix ™ from a Live CD or DVD might be supported. Check this wiki entry at a later date.

To learn more about live mode, refer to the Live-mode forum discussion.

Footnotes[edit]

  1. Since Whonix ™ 14.
  2. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/145
  3. Is there a Whonix ™ Amnesic Feature / Live CD / Live DVD? What about Forensics?
  4. Whonix ™ is not Amnesic
  5. Encrypted Guest Images: Other Security Considerations
  6. Core Dumps
  7. Tails documentation notes that host swapping may be the biggest threat to anti-forensics on Linux when running in a VM; see Security Considerations.
  8. Linux also uses swapping despite having apparent "free" memory. The kernel tends to swap out long-inactive and memory-consuming processes. This frees up RAM for caches and therefore improves responsiveness.
  9. https://superuser.com/questions/243357/how-to-prevent-a-specific-program-from-swapping
  10. https://serverfault.com/questions/561446/how-can-i-keep-important-vms-in-memory-without-disabling-swap
  11. https://libvirt.org/formatdomain.html#elementsMemoryBacking
  12. When set and supported by the hypervisor, memory pages belonging to the domain will be locked in the host's memory and the host will not be allowed to swap them out, which might be required for some workloads such as real-time. For QEMU/KVM guests, the memory used by the QEMU process itself will be locked too: unlike guest memory, this is an amount libvirt has no way of figuring out in advance, so it has to remove the limit on locked memory altogether. Thus, enabling this option opens up to a potential security risk: the host will be unable to reclaim the locked memory back from the guest when it is running out of memory. This means a malicious guest allocating large amounts of locked memory could cause a denial-of-service attack on the host. Due to the risk, this option is discouraged unless your workload demands it. Even then, to mitigate these risks it is strongly recommended to set a `hard_limit` (see memory tuning) on memory allocation suitable for the specific environment at the same time.
  13. https://superuser.com/questions/760102/why-do-i-get-swapping-even-if-i-set-vm-swappiness-to-0
  14. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127
  15. https://www.bentasker.co.uk/documentation/linux/312-installing-and-configuring-kdump-on-debian-jessie
  16. https://nanxiao.me/en/enable-generating-core-dump-file-on-debian-linux/
  17. https://linux-audit.com/understand-and-configure-core-dumps-work-on-linux/#linux-and-core-dumps

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Estellnb

18 days ago
Score 0++
check out for more security related stuff: debcheckroot: https://www....ebcheckroot/, confinedrv: https://www.elstel.org/qemu/, NSAspy: https://www....Aspy.html.en, CyberAttack-elstel: https://www....stel.html.en, GnuPG-usage: https://www....sage.html.en
Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Please help in testing new features and bug fixes in Whonix ™.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.