Protocol Leak and Fingerprinting Protection ‎

From Whonix
Jump to navigation Jump to search

Protection from IP Leaks, DNS Leaks, Protocol Leaks and Fingerprinting. Analysis of host hardware identifiers visible or hidden inside virtual machines.

Introduction[edit]

Whonix cannot do the impossible and magically prevent every kind of protocol leakarchive.org iconarchive.today icon and identifier disclosure:

Tor provides only anonymity for DNS and the transmission of the TCP stream. Everything inside the stream, the application protocol, needs to be scrubbed. For example, if the application uses advanced techniques to determine your real external IP and sends it over the anonymized TCP stream, then what you wanted to hide, your real external IP, isn't hidden.

...

Many applications can also leak other problematic and/or sensitive data, such as:

  • Your real external non-Tor IP address, as described above
  • Your time zone (for example: IRC clients through CTCP)
  • Your user name (for example: ssh through login)
  • The name and version of the client or server you are using (for example: Apache web server leaks software name and version number; IRC clients leak client name and client version number through CTCP)
  • ​Metadata can be a risk. Click ​MAT and read 'What is a metadata?' and 'Why metadata can be a risk for your privacy?'
  • Depending on your Mode Of Anonymity you obviously shouldn't mix your use of protected (anonymous) applications with applications not passing through the Tor network or some other form of anonymity. For example, if a login name or password of yours can be traced back to your personal identity, then you are defeating the purpose entirely. Tor can not protect you from this kind of activity
  • Even sending the contents of your RAM can be dangerous. (For example: error reporting, leading to Transparent Proxy Leaks)
  • A lot of information which the application sends on request from a server (for example: most web browsers beside the Tor Browser)
  • Hardware serial numbers might be used for fingerprinting and in the worst case scenario, lead back to you.
  • License keys of non-freedom software is often transmitted and might lead back to you.

Despite the many risks, Whonix is designed to offer multiple layers of defense for the best possible protection against inadvertent deanonymization.

Whonix Advantages[edit]

Protection Against Serious Leaks[edit]

Whonix protects against the most dangerous leak categories outlined below, which would otherwise divulge the user's real identity (remotely or directly):

  • The real, external, non-Tor IP address is hidden due to the fundamental Whonix design, use of an isolated proxy, and the Whonix-Gateway Firewall. [1]
  • The same applies for DNS[1] requests; they are safe. [2]

Numerous Default Applications are Pre-configured Against Leaks[edit]

Developers have taken care to prevent common applications from leaking information that could identify users, including:

  • Stream Isolation: Configuring applications to use their own SocksPort, thus preventing Identity correlation through circuit sharing.
  • Browser fingerprinting: Whonix includes Tor Browser by default. The browser fingerprint is as good (or bad) as using the normal Tor Browser bundle from torproject.org
  • GPG: /home/user/gpg.conf is optimized for privacy; see footnote. [3]
  • ssh: Without Whonix, the syntax for ssh is user@hostname [...]. However, if a specific user is not nominated before @hostname, the operating system user name will be utilized instead. If that value is something identifiable, then anonymity is broken. Since Whonix defaults the user name to user, in the worst case only the username user can be leaked, which is harmless. [4] [5]
  • Default Application Policy

Many protocol leaks are already documented, see: Documentation and TorifyHOWTOarchive.org iconarchive.today icon for further information.

Identifiers[edit]

In addition to protocol leaks, there are also a range of identifiers that can be used for fingerprinting by adversaries for anonymity set reduction (for example, the time zone), or even for complete deanonymization (for example, if the user name was set to John Doe). Such identifiers are described below.

Software Identifiers[edit]

Table: Software Identifiers

Category Description
Color depth The default color depth is 24-bit for all Whonix users. [6] [7]
Desktop Resolution
  • Non-Qubes-Whonix VM users: The desktop resolution setting set to 1920x1080 with the (virtual) refresh rate set to 60. [8] Virtualizer will scale down resolution deepening on host screen resolution.
  • Qubes-Whonix VM users: up to dom0 setting.
  • [9]
Fonts All Whonix users have the same list of fonts installed. [10] [11] [12]
Hostname The hostname is set to host. [13]
Internal (virtual LAN) IP address
Long host name (FQDN) The long host name (FQDN) is set to host.localdomain [15]
Operating system updates Operating system (apt) updates are routed through their own circuit (Stream Isolation) to prevent accidental leakage of software packages and versions (if any custom software is installed) which could then be correlated with other anonymous activity. Also see: Software updatersarchive.org iconarchive.today icon and Software installation Whonix-Workstation.
Time
  • Whonix-Workstation, Whonix-Gateway and the host time are all different from each other.
  • Time zone (local time) is set to UTC. [16]
  • The hardware clock is set to UTC.
  • See Whonix Time Synchronization Mechanism for further information.
User name The user name is set to user.
RAM In the worst case scenario, if RAM contents are leaked -- such as error reporting software phoning home, RAM dump if infected with malware, or Transparent Proxy Leaksarchive.org iconarchive.today icon) -- this would "only" contain the RAM of the Whonix-Workstation. All non-anonymous material on the host remains safe.
Qubes Virtualbox KVM
Identical software packages [17] Differs from Non-Qubes-Whonix Differs from Qubes-Whonix Differs from Qubes-Whonix

Hardware Identifiers[edit]

These identifiers are less important because an adversary can only collect them if the user installed malicious software (for example, some copyright enforcement and anti-cheat tools collect them), or if the adversary achieves remote access by compromising a user or in some cases the root account.

Hardware identifiers are virtualizer specific issues were all virtualizers are affected and therefore unspecific to Whonix.

Table: Hardware Identifiers that require local code execution

Qubes VirtualBox KVM
Hidden CPU model and capabilities No No [18] No [19] [20] [21]
Hidden hardware serial numbers [22] [23] Yes Yes Yes
Hidden Kicksecure logo CPUIDOnion network Logo (CPU model and capabilities) processor instruction No No No
Hidden graphic card information Yes [24] Yes [25] ?
Same amount of RAM assignment Dynamically assigned Yes, fixed Yes, fixed
Hidden sensor information [26] [27] [28] Yes Yes Yes
Hidden battery information [29] Yes No Yes
Hidden BIOS DMI information [30] Yes Yes Yes
Hidden virtual BIOS DMI information and Virtual HDD and CD serial numbers [30] [31] Yes, only virtual ones Yes, only virtual ones Yes, only virtual ones
Hidden VM UUID [32] [33] Yes Yes Yes
Hidden SLIC tablearchive.org iconarchive.today icon [34] Yes, not implemented Yes, empty by default Yes, not present
HDD UUIDs are different from the host [35] Yes Yes Yes
CD-ROM UUID is identical for all Whonix users [36] Yes Yes Yes
Hidden disk UUIDs [37] Yes Yes Yes
Hidden EDIDarchive.org iconarchive.today icon [38] Yes [39] Yes [40] [41] Yes [42]
See Also VM Fingerprinting
Category Description
MAC address The MAC addressarchive.org iconarchive.today icon is different from the host. See also MAC Address. [43] [44]

Metadata[edit]

See Metadata.

Identifiers Design Goals[edit]

Should the goal be,

  • A) a shared personality: to have all Whonix appear with the same uniform fingerprint at all times, OR
  • B) a virtual personality: to invent and emulate a different unique fingerprint for each user?

In other words, should each Whonix system look exactly the same to observers, or should it try to look different for every user?

The same question rephrased in more technical terms: should identifiers such as /etc/machine-id:

  • A) shared: be the same across all Whonix systems, OR
  • B) unique: be regenerated for each user at every system boot?

Whonix design, at the time of writing, is A). [45] It may be possible to argue for either option. However, upon consideration, it seems clear that A) offers greater privacy in the context of how Whonix is used.

The threat model being considered here is that some software inside Whonix-Workstation might read system identifiers — such as the machine ID — and send them to a remote server. That remote server could then use this identifier to recognize or track users. This type of software can be described as privacy-invasive or, in more severe cases, malicious.

Choosing option A) does mean that the machine ID reveals, "this is a Whonix system." However, avoiding this kind of leakage is realistically not possible. For a deeper explanation, refer to the VM Fingerprinting page and the Kicksecure logo System Identity CamouflageOnion network Logo wiki pages. This is a general problem and is unspecific to Whonix. In fact, if an application or malware wants to track users, it can simply generate its own identifier and use that. Therefore, trying to hide system-level identifiers like /etc/machine-id does not meaningfully increase privacy in most cases.

Tor and the Tor Browser take a similar approach to this issue. They do not try to generate a new random identity (pseudonym) each time they are used. Instead, their strategy is to make all users appear the same to outside observers. The Tor Project refers to this concept as Anonymity Loves Company (you can search the web for this term for more background). Since Whonix is designed as an extension of Tor, it follows the same principle.

Option B) would avoid revealing that a system is running Whonix, but actually hiding this fact is not practically achievable, as explained in VM Fingerprinting.

There is also a trade-off between two goals: complete resistance to fingerprinting by local software, and applying strong system hardening for better security. Unfortunately, when the system is hardened for security, this itself becomes a fingerprint: it reveals that the system has been customized or secured, which may make it more identifiable. Since it is impossible to achieve both goals perfectly, Whonix prioritizes security hardening whenever these goals conflict.

When not using virtual machines (VMs), privacy-invasive software running on the host system has even greater ability to fingerprint users, because it can directly access hardware identifiers such as serial numbers, MAC addresses, or CPU features.

For a related wiki page on identifiers, see: Protocol Leak Protection and Fingerprinting Protection‎.

Discussions:

CPU Output Tests[edit]

TNT_BOM_BOM generated /proc/cpuinfo output which was posted to the Whonix forumsarchive.org iconarchive.today icon and copied here.

CPU Test One[edit]

These are the results before running VBoxManage modifyvm Whonix-Workstation --cpuidremoveall. 

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 37
model name      : Intel(R) Core(TM) i5 CPU       M 580  @ 2.67GHz
stepping        : 5
microcode       : 0x616
cpu MHz         : 2659.899
cache size      : 3072 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 11
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm constant_tsc xtopology nonstop_tsc pni monitor lahf_lm
bogomips        : 5319.79
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

CPU Test Two[edit]

These are the results after running VBoxManage modifyvm Whonix-Workstation --cpuidremoveall and shutting down the workstation. 

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 37
model name      : Intel(R) Core(TM) i5 CPU       M 580  @ 2.67GHz
stepping        : 5
microcode       : 0x616
cpu MHz         : 2660.690
cache size      : 3072 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 11
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx lm constant_tsc xtopology nonstop_tsc pni monitor lahf_lm
bogomips        : 5321.38
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual
power management:

KVM Whonix-Workstation 12 /proc/cpuinfo[edit]

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.1.2
stepping        : 3
microcode       : 0x1
cpu MHz         : 2659.914
cache size      : 4096 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fdiv_bug        : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 4
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm pni cx16 x2apic popcnt hypervisor lahf_lm
bogomips        : 5319.82
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

processor       : 1
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.1.2
stepping        : 3
microcode       : 0x1
cpu MHz         : 2659.914
cache size      : 4096 KB
physical id     : 1
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 1
initial apicid  : 1
fdiv_bug        : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 4
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm pni cx16 x2apic popcnt hypervisor lahf_lm
bogomips        : 1945.60
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

KVM Whonix-Workstation 13 /proc/cpuinfo[edit]

> processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 6
model name : QEMU Virtual CPU version 2.1.2
stepping : 3
microcode : 0x1
cache size : 4096 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fdiv_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 4
wp : yes
flags : fpu de pse msr pae mce cx8 apic sep mtrr pge mca cmov pse36 mmx fxsr sse sse2 syscall nx lm pni cx16 x2apic popcnt aes hypervisor lahf_lm
bogomips : 1185.79
clflush size : 32
cache_alignment : 32
address sizes : 40 bits physical, 48 bits virtual
power management:

> processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 6
model name : QEMU Virtual CPU version 2.1.2
stepping : 3
microcode : 0x1
cache size : 4096 KB
physical id : 1
siblings : 1
core id : 0
cpu cores : 1
apicid : 1
initial apicid : 1
fdiv_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 4
wp : yes
flags : fpu de pse msr pae mce cx8 apic sep mtrr pge mca cmov pse36 mmx fxsr sse sse2 syscall nx lm pni cx16 x2apic popcnt aes hypervisor lahf_lm
bogomips : 1173.50
clflush size : 32
cache_alignment : 32
address sizes : 40 bits physical, 48 bits virtual
power management:

KVM Whonix-Workstation 17 /proc/cpuinfo[edit]

[workstation user ~]% cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 37
model name	: Intel(R) Core(TM) i5 CPU       M 580  @ 2.67GHz
stepping	: 5
microcode	: 0x7
cpu MHz		: 2659.828
cache size	: 16384 KB
physical id	: 0
siblings	: 1
core id		: 0
cpu cores	: 1
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 11
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq vmx ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes hypervisor lahf_lm cpuid_fault pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid tsc_adjust arat umip flush_l1d arch_capabilities
vmx flags	: vnmi preemption_timer invvpid ept_x_only ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest shadow_vmcs
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs mmio_unknown
bogomips	: 5319.65
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

from Whonix 12 WS - qubes Q3 "cat /proc/cpuinfo" (**different PC**)[edit]

processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 1
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 2
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 3
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 4
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 5
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 6
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

> processor    : 7
vendor_id    : GenuineIntel
cpu family    : 6
model        : 60
model name    : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
stepping    : 3
microcode    : 0x17
cpu MHz        : 2494.312
cache size    : 6144 KB
physical id    : 0
siblings    : 8
core id        : 2
cpu cores    : 1
apicid        : 4
initial apicid    : 4
fpu        : yes
fpu_exception    : yes
cpuid level    : 13
wp        : yes
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt
bugs        :
bogomips    : 4988.62
clflush size    : 64
cache_alignment    : 64
address sizes    : 39 bits physical, 48 bits virtual
power management:

KVM vs Qubes[edit]

KVM[edit]

processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.1.2
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm pni cx16 x2apic popcnt hypervisor lahf_lm

Qubes[edit]

processor    : 0
vendor_id    : GenuineIntel
cpu family   : 6
model        : 60
model name   : Intel(R) Core(TM) i7-4710HQ CPU @ 2.50GHz
flags        : fpu de tsc msr pae cx8 apic sep cmov pat clflush mmx fxsr sse sse2 ss ht syscall nx lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm ida arat epb pln pts dtherm fsgsbase bmi1 avx2 bmi2 erms xsaveopt

get-edid output[edit]

EDID[edit]

Install package(s) read-edid following these instructions

1 Platform specific notice.

2 Kicksecure logo Update the package lists and upgrade the systemOnion network Logo.

sudo apt update && sudo apt full-upgrade

3 Install the read-edid package(s).

Using apt command line Kicksecure logo --no-install-recommends optionOnion network Logo is in most cases optional.

sudo apt install --no-install-recommends read-edid

4 Platform specific notice.

  • Non-Qubes-Whonix: No special notice.
  • Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Kicksecure logo Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) read-edid is complete.

sudo get-edid ; echo $?

Qubes[edit]

This is read-edid version 3.0.1. Prepare for some fun.
Attempting to use i2c interface
Looks like no busses have an EDID. Sorry!
Attempting to use the classical VBE interface

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f00 bx=0x0 cx=0x0
        Function unsupported
        Call failed

        VBE version 0
        VBE string at 0x0 "O"

VBE/DDC service about to be called
        Report DDC capabilities

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x0 cx=0x0
        Function unsupported
        Call failed

Reading next EDID block

VBE/DDC service about to be called
        Read EDID

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x1 cx=0x0
        Function unsupported
        Call failed

The EDID data should not be trusted as the VBE call failed
Error: output block unchanged
I'm sorry nothing was successful. Maybe try some other arguments
if you played with them, or send an email to Matthew Kern <pyrophobicman@gmail.com>.
1

VirtualBox[edit]

get-edid: get-edid version 2.0.0

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f00 bx=0x0 cx=0x0
        Function supported
        Call successful

        VBE version 200
        VBE string at 0xc7f10 "VirtualBox VBE BIOS https://www.virtualbox.org/"

VBE/DDC service about to be called
        Report DDC capabilities

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x0 cx=0x0
        Function unsupported
        Call failed

Reading next EDID block

VBE/DDC service about to be called
        Read EDID

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x1 cx=0x0
        Function unsupported
        Call failed

The EDID data should not be trusted as the VBE call failed
Error: output block unchanged
1

KVM[edit]

get-edid: get-edid version 2.0.0

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f00 bx=0x0 cx=0x0
halt_sys: file ��y�*+, line -1216758308
        Function unsupported
        Call successful

        VBE version 300
        VBE string at 0xc4f55 "SeaBIOS VBE(C) 2011"

VBE/DDC service about to be called
        Report DDC capabilities

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x0 cx=0x0
halt_sys: file ��y�*+, line -1216720908
        Function unsupported
        Call successful

Reading next EDID block

VBE/DDC service about to be called
        Read EDID

        Performing real mode VBE call
        Interrupt 0x10 ax=0x4f15 bx=0x1 cx=0x0
halt_sys: file ��y�*+, line -1216720908
        Function unsupported
        Call successful

The EDID data should not be trusted as the VBE call failed
Error: output block unchanged
1

Testing[edit]

For users and researchers that wish to reproduce, verify the output of the analysis tools used on this page, could install the following packages.

Install package(s) x11-utils lshw usbutils hddtemp lm-sensors acpi mesa-utils following these instructions

1 Platform specific notice.

2 Kicksecure logo Update the package lists and upgrade the systemOnion network Logo.

sudo apt update && sudo apt full-upgrade

3 Install the x11-utils lshw usbutils hddtemp lm-sensors acpi mesa-utils package(s).

Using apt command line Kicksecure logo --no-install-recommends optionOnion network Logo is in most cases optional.

sudo apt install --no-install-recommends x11-utils lshw usbutils hddtemp lm-sensors acpi mesa-utils

4 Platform specific notice.

  • Non-Qubes-Whonix: No special notice.
  • Qubes-Whonix: Shut down Template and restart App Qubes based on it as per Kicksecure logo Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) x11-utils lshw usbutils hddtemp lm-sensors acpi mesa-utils is complete.

See Also[edit]

Footnotes[edit]

  1. 1.0 1.1 This does not cover application vulnerabilities and exploits, which escalate from the virtual machine to the host. See: Attacks. However, by design the Whonix-Workstation does not know its own external non-Tor IP address.
  2. /etc/resolv.conf in Whonix-Workstation is configured to use the Whonix-Gateway as the DNS resolver, which is routed through Tor.
  3. Adhering to recommendationsarchive.org iconarchive.today icon as per the torbirdy github repositoryarchive.org iconarchive.today icon, which prevents leakage of the operating system version (no-emit-version) and other variables (on githubarchive.org iconarchive.today icon).
  4. In this case it may appear that the syntax was simply copied from the manpage.
  5. The Tails OS similarly sets the username to amnesia, which is a default value not set by the user and therefore safe.
  6. To check the color depth run the following command in console. xdpyinfo
  7. Do not rely on https://ip-check.infoarchive.org iconarchive.today icon or similar websites to check the desktop resolution and color depth, because Tor Button changes these values to improve anonymity; refer to the TorButton specification and Tor trac for further details. See also Browser Tests. In order to check the list of installed fonts, run. fc-list
  8. https://github.com/Kicksecure/vm-config-dist/blob/master/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/displays.xmlarchive.org iconarchive.today icon
  9. To check the desktop resolution and refresh rate, run the following command in console. xrandr
  10. So long as the user or any additional software packages do not install further packages.
  11. Only three common fonts (monospace, serif, times new roman) can be detected for all Tor Browser users.
  12. Robert Ransom previously suggested Whonix should share the same list of fonts as Tails if possible. Since Tor Browser no longer leaks which fonts are installed, lead Whonix developer Patrick Schleizer does not see any advantage of this action (follow-up enquiry ignored).
  13. To check the hostname, run. host
  14. To check the internal (virtual LAN) IP address, run. sudo ifconfig
  15. To check the long host name, run. hostname --fqdn
  16. To check the time zone, run. cat /etc/timezone
  17. By default, all Whonix users have the same set of software packages installed. However, if additional software packages are installed, this advantage is lost. See also: Software updatersarchive.org iconarchive.today icon.
  18. These were hidden by VirtualBox "Synthetic CPU" in the past but that feature was removed from VirtualBox. (Even then the clock speed of your host CPU was visible to all code (applications or malware) inside Whonix-Workstation.) The parameters --cpuid-portability-level or --cpuidremoveall have been tested and do not hide CPU model and capabilities either.archive.org iconarchive.today icon
  19. https://forums.whonix.org/t/help-welcome-kvm-development-staying-the-course/166/403archive.org iconarchive.today icon
  20. https://phabricator.whonix.org/T449archive.org iconarchive.today icon
  21. This is due to the design of virtualization platforms (VirtualBox, KVM, Xen, Qubes, VMware, etc.). Most virtualization platforms leak CPU model, capabilities and clock speed. Check. cat /proc/cpuinfo A workaround in theory could be to use an emulator instead of a virtualizer such as QEMU or bochsarchive.org iconarchive.today icon. In practice however, unfortunately such emulators are slow and there might be other limitations. (Does Bochs support internal networking?)
  22. Hardware serial numbers which any applications could collect are hidden due to the Virtual Machine.
  23. It is possible to check the visible hardware yourself with the following commands. sudo lshw and sudo lspci If USB devices are attached, run. sudo lsusb Then compare the results with your host.
  24. sudo lshw -C display 
      *-display
       description: VGA compatible controller
       product: SVGA II Adapter
       vendor: VMware
       physical id: 2
       bus info: pci@0000:00:02.0
       version: 00
       width: 32 bits
       clock: 33MHz
       capabilities: vga_controller bus_master rom
       configuration: driver=vmwgfx latency=64
       resources: irq:18 ioport:d000(size=16) memory:e0000000-e7ffffff memory:f0000000-f01fffff memory:c0000-dffff
  25. sudo lshw -C display Expected output: No output, which is good.
  26. CPU temperature, HDD temperature, S.M.A.R.T.archive.org iconarchive.today icon
  27. Fortunately virtualizers hide them from the guest VM by not implementing them.
  28. To check the sensor information, run. Using hddtemp.
    • Qubes: sudo hddtemp /dev/xvda
    • VirtualBox: sudo hddtemp /dev/sda
    • KVM: sudo hddtemp /dev/vda
    Using sensors-detect. sudo sensors-detect
  29. To check the battery information, run. acpi -V
  30. 30.0 30.1 To check the BIOS DMI information, run. sudo dmidecode
  31. To see disk ids that are in use, run. sudo ls -la /dev/disk/by-id/ sudo ls -la /dev/disk/by-uuid/ Then compare the result with the host.
  32. As in explained in VBoxManage modifyhdarchive.org iconarchive.today icon, this value has no relation to the host by default.
  33. To check the VM UUID, run. sudo dmidecode
  34. To check the SILC table, run. sudo cat /sys/firmware/acpi/tables/SLIC Inside the virtualizer and on the host. On the host there may or may not be not be a SLIC table. If there is none, it cannot leak into your virtualizer. If there is one, the value will not be mirrored in VirtualBox, which is fine.
  35. To check the HDD UUID, run.
    • Qubes: sudo hdparm -i /dev/xvda
    • VirtualBox: sudo hdparm -i /dev/sda
    • KVM: sudo hdparm -i /dev/vda
  36. To check the CD-ROM UUID, run. udisks --show-info /dev/cdrom
  37. Real hardware UUIDs are hidden by the virtualizer.
  38. Virtualizers routinely hide extended display identification data.
  39. See: Qubes EDID.
  40. See: VirtualBox EDID.
  42. See: KVM EDID.
  43. To check Whonix-Workstation's MAC address, run. sudo ifconfig Inside Whonix-Workstation and then compare it with the host.
  44. Disadvantages if a shared MAC Addresses would be used by all Whonix-Workstation:
    • Multiple Whonix-Workstation cannot use the Internet at the same time if they are using the same MAC address. It leads to confusing connection interruptions in either of the virtual machines.
    • The project contributors need to explain and defend the design, which takes a lot of time for little gain. (Again, it is important not to expose the host's real MAC address, but so long as the one inside the virtual machine is different, everything is in an acceptable state.)
    Advantages if a shared MAC Addresses would be used by all Whonix-Workstation:
    • It may be easier to develop ARP spoofing defense to implement authenticated connections between Whonix-Gateway and Whonix-Workstation. (This is only useful when using Multiple Whonix-Workstation.) To understand the context, please read Connections between Gateway and Workstation.
    • In some cases, applications gather the MAC address and send it to a remote server (proprietary license checks use the MAC for hardware fingerprinting). In this case a shared MAC address might be better for privacy. It however might also break the proprietary license check as this expects different MAC addresses for different customers of the proprietary software. See also VM Fingerprinting.
    • There might be an advantages of sharing MAC addresses among all Whonix versions. That would be useful in the event an application leaks the MAC address or if Whonix-Workstation was compromised. On the other hand, this would identify the user as a Whonix user.
  45. https://github.com/Whonix/dist-base-filesarchive.org iconarchive.today icon
Notification image
Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!

Retrieved from "https://www.whonix.org/w/index.php?title=Protocol-Leak-Protection_and_Fingerprinting-Protection&oldid=103958"