{{Header}} {{#seo: |description=Overview of Advanced Deanonymization Attacks and their development status in {{project_name_long}}. |image=Advanced_deanonymization1231.jpg }} [[File:Advanced_deanonymization1231.jpg|thumb]] {{intro| Overview of Advanced Deanonymization Attacks and their development status in {{project_name_short}}. }} = Introduction = This page aims to track and document advanced attacks that also affect virtualized and anonymous systems like {{project_name_short}}. The attacks discussed below tend to have a very high accuracy rate and can easily have devastating impacts on anonymity. The common thread among these attacks is the exploitation of underlying hardware design flaws to undermine isolation barriers imposed by the software stack operating above it. See [https://web.archive.org/web/20220305144901/http://cs.sru.edu/~mullins/cpsc100book/module02_introduction/module02-03_introduction.html Introduction to Computers: Hardware and Software] for a basic description of the difference between hardware, firmware, and software. Exploiting buggy software remains the lowest-hanging fruit for network adversaries. It is expected that they will further expand their toolbox and more regularly utilize these vectors, as the chances of discovery are minimal to none. = Attack Definitions = '''Table:''' ''Common Attack Vectors Causing Data Leakage'' {| class="wikitable" |- ! scope="col"| '''Attack Vector''' ! scope="col"| '''Description''' |- ! scope="row"| Biometric Tracking | Behavioral tracking (also called biometric tracking) relies on spying on how users interact with their devices, https://forums.whonix.org/t/biometric-fingerprinting-mass-surveillance-and-you/2236 rather than looking at the unique identifiers at the device, protocol, or application levels. |- ! scope="row"| Local Covert Channels | [https://www.techopedia.com/definition/10255/covert-channel Local covert channels] require collaboration between a malicious VM and an infected victim VM to leak confidential data. |- ! scope="row"| Network Covert Channels | [https://en.wikipedia.org/wiki/Covert_channel#Data_hiding_in_OSI_model Network] [https://en.wikipedia.org/wiki/Covert_channel#Data_hiding_in_LAN_environment_by_covert_channels covert] [https://en.wikipedia.org/wiki/Covert_channel#Data_hiding_in_TCP/IP_Protocol_suite_by_covert_channels channels] only require that a compromised VM induce identifiable changes in network traffic, which are immediately visible to adversaries surveilling the network. |- ! scope="row"| Side Channels | [https://en.wikipedia.org/wiki/Side-channel_attack Side channel attacks] allow a malicious process to spy on events/data outside the VM. |- |} = Attack Methodology = == Advanced Remote Deanonymization Methods == '''Table:''' ''Advanced Remote Deanonymization Methods'' {| class="wikitable" |- | ! '''CPU-induced Network Latency''' https://forums.whonix.org/t/cpu-induced-latency-covert-channel-countermeasures/18875 ! '''TCP ISNs and Temperature-induced Clock Skews''' https://forums.whonix.org/t/tcp-isns-and-temperature-induced-clock-skews/18862 ! '''[[Keystroke Deanonymization]]''' ! '''[[Surfing_Posting_Blogging#Mouse_Fingerprinting|Mouse Fingerprinting]]''' |- ! '''Attack Class''' | Covert Channel (network) | Covert Channel (network) | Behavioral Tracking | Behavioral Tracking |- ! '''Attack Summary''' | CPU load induces noticeable latency in ICMP network packets. https://lists.torproject.org/pipermail/tor-talk/2016-July/041807.html | CPU load skews the clock crystal frequency; these changes are detectable in the TCP ISN field. | Timing of and between keystrokes creates a unique individual pattern. | Timing of and between mouse movement speed/angles creates a unique individual pattern. |- ! '''Mitigation''' | Add random delays per ICMP packet with tc-netem or block the protocol on the host. No mitigation needed for Whonix because Tor is TCP-only. The attack doesn't work on TCP, and tc-netem causes visible latency for streams when traffic is induced, harming anonymity and performance. https://forums.whonix.org/t/cpu-induced-latency-covert-channel-countermeasures/18875 / [[Dev/latency-obfuscator]] | Rewrite TCP ISNs to conceal timer skews. | Abstract keyboard input into a network layer and inject random delays. Removing fine-grained timers also helps in this situation. | Abstract mouse input into a network layer and inject random delays. |- ! '''{{project_name_short}} [[KVM]] Mitigation''' | style="background-color: {{Blue}}"| Unneeded | style="background-color: {{Green}}"| Production https://forums.whonix.org/t/tcp-isn-cpu-information-leak-protection-tirdad/8552 | style="background-color: {{Green}}"| Production [[kloak]] | style="background-color: {{Green}}"| Production |- ! '''{{project_name_short}} [[VirtualBox]] Mitigation''' | style="background-color: {{Blue}}"| Unneeded | style="background-color: {{Green}}"| Production | style="background-color: {{Green}}"| Production | style="background-color: {{Green}}"| Production |- ! '''[[Qubes|{{q_project_name_long}}]] Mitigation''' | style="background-color: {{Blue}}"| Unneeded | {{No}} [https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581 Qubes-Whonix Security Disadvantages - Help Wanted!] | {{No}} | {{No}} |- |} == Advanced Local Deanonymization Methods == '''Table:''' ''Advanced Local Deanonymization Methods'' {| class="wikitable" |- | ! '''DRAMA Cross-CPU Attacks''' https://forums.whonix.org/t/advanced-attacks-meta-ticket/18865 ! '''Cross-VM CPU Cache Attacks''' https://forums.whonix.org/t/cross-vm-cache-attacks-countermeasures/18866 [https://cmaurice.fr/pdf/ndss17_maurice.pdf Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud]: a newer covert channel attack that requires the same condition of a shared CPU cache. |- ! '''Attack Class''' | Covert (local) and Side Channel | Covert (local) and Side Channel |- ! '''Attack Summary''' | Timing of access to the shared memory bank permits data leaks, as well as snooping on keystrokes. | Measurement of shared CPU cache access latency leaks timing data concerning cryptographic processes. |- ! '''Mitigation''' | Block clflush and tsc instructions, as well as remove all timers. Additionally, avoid multi-threading of VMs, or alternatively use non-interleaved NUMA with pinned vCPUs. | Pin vCPUs to separate pCPUs. Proper mitigations are added by upstream cryptographic library projects when attacks are discovered. |- ! '''{{project_name_short}} [[KVM]] Mitigation''' | {{No}} Measure reverted to enable Spectre/Meltdown guest mitigations | style="background-color: {{Green}}"| Production |- ! '''{{project_name_short}} [[VirtualBox]] Mitigation''' | {{No}} | {{No}} |- ! '''[[Qubes|{{q_project_name_short}}]] Mitigation''' | {{No}} | {{No}} |- |} == Other Advanced Deanonymization Attacks == There are numerous other advanced attacks that have not been included in the above table. The reason is that they have easy fixes, such as avoiding some [[KVM#Unsafe_Features|unsafe hypervisor features]]. = Other Deanonymization Vectors = High-risk users should familiarize themselves with other attack vectors that can lead to deanonymization or other harmful outcomes. * [[Time_Attacks|Time-related Attacks]]: These are in a class of their own. In simple terms, insecure time synchronization and the leaking of time data can result in deanonymization. Although documented separately, time attacks have some overlap with factors outlined here. * [[Speculative_Tor_Attacks|Tor Ecosystem Attacks]]: Advanced adversaries are capable of attacking the Tor client, server, and/or [[Warning#Tor_Network_Attacks|network]] (sometimes in combination) to identify users and/or servers in specific situations. = Development = * [[Dev/Advanced Deanonymization Attacks]] * Ticket: [https://forums.whonix.org/t/advanced-attacks-meta-ticket/18865 Covert Channels Meta Ticket] * [https://forums.whonix.org/t/advanced-deanonymization-attacks/2879 Forum Discussion] = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]