Current State of Kloak?

Kiwi · October 18, 2023, 5:26am

I would like to mention that the option to invert touchpad scroll direction (natural scrolling) does not work when kloak is running. If this is something that can be worked around that would be nice in my opinion.

Patrick · October 18, 2023, 12:47pm

This must be reported upstream.

Patrick · November 26, 2023, 6:06am

Kloak for Qubes again unfortunately seems stalled.

Patrick · January 11, 2024, 11:47am

Patrick · March 4, 2024, 10:04am

A test page that I don’t know anything about it other than it was added to the wiki a while ago by unknown.

Patrick · March 11, 2024, 2:38pm

Patrick · June 28, 2024, 9:56am

github.com/vmonaco/kloak

Feature request: add a configuration file to configure maximum delay

opened 06:42PM - 24 Jun 24 UTC

siliconwaffle

The default maximum delay of 20ms just isn't much, and when installed from a pac…kage manager there is no real way to modify the service file without it being overwritten by an update. Would you consider adding a configuration file in /etc to make this easier to configure without being overwritten by a pm? Also, I don't know how feasible this is, but would it be possible to make both keystrokes and mouse input delays separately configurable? That way users can have a stronger keystroke delay without the cursor feeling laggy, I believe this would significantly improve UX for users who want stronger protection.

Patrick · September 24, 2024, 1:18am

Since kloak is unfortunately dead upstream, it needs to be forked and maintained independently by Whonix.

github.com/Whonix/kloak

Harden and enhance Kloak

Whonix:master ← ArrayBolt3:arraybolt3

opened 11:58PM - 23 Sep 24 UTC

ArrayBolt3

+152 -33

## Changes * Enabled a battery of compile-time hardening flags, following the… recommendations from https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html and fixed code issues revealed by additional warnings * Added changes from https://github.com/vmonaco/kloak/pull/61 (add a header file to make future development easier) * Added some changes from https://github.com/vmonaco/kloak/pull/65 (ChatGPT-recommended code fixes, some of these I took a different approach to enhancing, in particular the strncpy fixes) * Added functionality from https://github.com/vmonaco/kloak/pull/67 (add support for new devices attached after kloak starts) * Enabled use of ASan and UBSan * Replaced most `strncpy` uses with `strtcpy` recommended by https://man7.org/linux/man-pages/man7/string_copying.7.html * Resolved issues with ARM support (syscall filtering, disabled builds on all architectures but amd64) * Resolved issue with keyboard "jamming" when the clock goes backwards (https://forums.whonix.org/t/sdwdate-can-cause-system-time-to-jump-backwards-causing-issue-with-kloak/20433) * Increased the number of supported simultaneous input devices to cope with systems that have many input devices attached at once (like my development laptop) * Caused resources to be cleaned up when `panic` is called (based on advice from a "ChatGPT-4o mini" code review) ## Mandatory Checklist - [x] Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.whonix.org/wiki/Terms_of_Service), [Privacy Policy](https://www.whonix.org/wiki/Privacy_Policy), [Cookie Policy](https://www.whonix.org/wiki/Cookie_Policy), [E-Sign Consent](https://www.whonix.org/wiki/E-Sign_Consent), [DMCA](https://www.whonix.org/wiki/DMCA), [Imprint](https://www.whonix.org/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [x] I have reviewed and updated any documentation if relevant - [x] I am providing new code and test(s) for it (testing was done manually and may have to be in the future, I did NOT add an automated test suite) Fixes https://github.com/vmonaco/kloak/issues/31, https://github.com/vmonaco/kloak/issues/25, https://github.com/vmonaco/kloak/issues/35 ## Potential Issues I have attempted to make the syscall filter work properly, however it is only tested on my particular x86_64 and arm64 machines. It is entirely possible it will crash on other people's machines. In the event this happens, one can find out which syscall triggered the crash by running `journalctl -n50`, scrolling to the bottom, and looking for the last instance of the word `syscall` in the journal log fragment. This should pull up a kernel audit or seccomp audit line, containing a value similar to `syscall=21`. This is the number of the not-yet-whitelisted syscall that crashed the process. Find out which syscall that number corresponds to (look in `/usr/include/ARCH-linux=gnu/asm/unistd.h` to figure out which file contains the syscall table, then go to whatever that file happens to be, replace `ARCH` as appropriate for your system's architecture), then add that syscall name to the `SystemCallFilter` entry in `kloak/usr/lib/systemd/system/kloak.service` . Copy the file into place, `systemctl daemon-reload`, and `systemctl restart kloak`. This should either get kloak up and running, or result in another error pointing out a different syscall that isn't whitelisted yet.

Thanks to @arraybolt3!

Patrick · September 24, 2024, 10:21pm

Merged.

Add support for new devices attached after kloak starts by skyzzuu · Pull Request #67 · vmonaco/kloak · GitHub
Fix/#12 fix keyboard layout reset by OmarMesqq · Pull Request #73 · vmonaco/kloak · GitHub
notified, closed upstream tickets and pull requests that I previously opened, which are now fixed in our fork
enable qvm-service `gui-agent-virtual-input-device` for Whonix-Workstation App Qubes by default · Issue #8534 · QubesOS/qubes-issues · GitHub

mouse click obfuscation · Issue #51 · vmonaco/kloak · GitHub is functional as independently confirmed by two contributors.

arraybolt3 · September 24, 2024, 11:12pm

TypingDNA’s privacy policy is rather alarming IMO. I don’t think it’s necessarily something Whonix users should be using for testing purposes.

GitHub’s typing biometrics projects looked promising, but sadly there were only two that looked like they would be reasonably easy to get up-and-running. One of them turned out to be written in Python 2 and relied on a Python module that seemingly doesn’t exist anywhere anymore (perhaps the user accidentally failed to include some of the code they wrote). The other one wanted Python 3.7.2, trying to get it running on Python 3.12 was futile, and when trying to install Python 3.7.2 with pyenv, somehow Python 3.7.2’s code managed to get some part of the Python build process to segfault mid-build. So… yeah.

That leaves us with vmonaco’s test. While I was able to verify that it had an easy time picking out a device “frequency” without kloak, and a harder time picking one out with kloak, it still appears to have been designed for device fingerprinting, not user fingerprinting, which is a bit different. I also noticed that it required quite a lot of text input to get a good “read” on my behavior, and even then it seemed to be unsure and would sometimes change its mind if I typed for long enough. This makes me wonder whether it’s actually all that useful or not. Still, it seems to be the best one that exists.

arraybolt3 · September 25, 2024, 6:59pm

For users who are interested in trying out kloak within Whonix Workstation VMs on Qubes OS, you can now do so with a bit of manual effort. Work is underway to eventually make this unnecessary, but in the mean time here’s how you can enable it:

Launch a terminal in the whonix-workstation-17 template.
In whonix-workstation-17, run sudo apt install xserver-xorg-input-evdev. This is the X.Org evdev driver, which is necessary for the keyboard input method kloak requires.
In whonix-workstation-17, run sudo apt install kloak.
In dom0, run qvm-service whonix-workstation-17-dvm gui-agent-virtual-input-device on to enable the evdev-based input method.
Shut down whonix-workstation-17 and wait for it to fully shut down.
Launch a DispVM from whonix-workstation-17-dvm.
Open XFCE Terminal in the new DispVM.
Ensure you can type.
Run sudo systemctl stop kloak && sudo /usr/sbin/kloak -d250 & and ensure kloak starts properly.
Type a bit in the terminal, you should notice significant lag and randomized timing as what you type appears on the screen.
Press Ctrl+C to terminate kloak, then run sudo systemctl start kloak to start kloak with default settings again.
See Keystroke Deanonymization - Whonix if you want to set persistent settings that customize kloak’s behavior (like setting a longer input delay to allow better randomization of keystrokes and mouse movements).

In the event you accidentally lock yourself out of your Whonix Workstation VM while doing this, simply open a dom0 terminal and run qvm-service whonix-workstation-17-dvm gui-agent-virtual-input-device off, then shut down all Whonix Workstation VMs and start them up again. This will go back to the original input method.

Patrick · September 26, 2024, 2:24am

Potentially related issue:

Patrick · September 27, 2024, 2:31am

Kloak in dom0 · Issue #8541 · QubesOS/qubes-issues · GitHub

Patrick · September 30, 2024, 8:52am

Patrick · October 1, 2024, 6:40am

github.com/QubesOS/qubes-gui-daemon

Add X event buffering for cloaking user input patterns

QubesOS:main ← ArrayBolt3:main

opened 05:52AM - 01 Oct 24 UTC

ArrayBolt3

+213 -48

# Goal Implement the functionality of [kloak](https://github.com/Whonix/kloak…) (a tool designed to hide biometric behavior patterns in keystrokes and mouse movements) in qubes-gui-daemon. This PR will implement the functionality requested in https://github.com/QubesOS/qubes-issues/issues/1850 and fleshed out further in https://github.com/QubesOS/qubes-issues/issues/8541. It will also close https://github.com/QubesOS/qubes-issues/issues/8534 as it will no longer be necessary. # TODOs (or, why this is a draft): * Make the delay duration user-configurable (right now it's hardcoded to 150 milliseconds) * Allow configuring event delay duration for individual VMs buffering (right now it is applied equally to all VMs) * Ensure all new code adheres to Qubes OS standards (didn't have time to finish that up) * Test rigorously on Qubes R4.3 (an earlier iteration of the code has been smoke-tested on Qubes R4.2, this hasn't been tested at all on R4.3 yet) * Potentially change how events are treated (do some events have to operate in pairs for best results?). * Figure out why the domU window occasionally freezes until another input event is sent - we aren't buffering info coming from domU to dom0 so why this is happening is a mystery to me, and something for later investigation. # Rationale Kloak, the inspiration for this PR, is a user input buffering and obfuscation tool. It intercepts keyboard and mouse events at the evdev layer, holds them in a queue for release at a later scheduled time, then releases them to the applications they were intended for periodically. By adding random noise into the user's input patterns, kloak aims to make otherwise recognizable patterns in user behavior (such as keystroke rhythm and mouse movement patterns) too erratic to be used as a method of identifying the user. This is potentially very useful especially for Whonix Workstation domUs, as it denies an adversary access to a remarkably effective biometric fingerprinting mechanism they could otherwise access without specialized tools. Kloak is currently able to operate directly in Qubes domUs if (and only if!) `gui-agent-virtual-input-device` is enabled for the domU in question. Even in these instances, only keyboard events are anonymized, and additionally the domU must have an evdev X driver installed. This is less than ideal from a functionality standpoint, and as @DemiMarie has explained in https://github.com/QubesOS/qubes-issues/issues/8541 it will eventually stop working entirely. There's also the possibility of malware compromise in the domU resulting in the deanonymization of the user. For these reasons, enabling the use of evdev in domUs and running kloak in the domU is not a good solution. The other obvious option is to run kloak directly in dom0. This has several disadvantages: * kloak can now potentially wreak havoc on the user's ability to use their computer. If a bug in kloak locks up the keyboard, or the user does something inadvisable like setting a 20-second event delay, regaining control of the system could be difficult or impossible without doing a hard reset (or worse, booting an external USB in order to chroot into dom0 and disable kloak). * Application of kloak's functionality becomes all-or-nothing - you either anonymize all keyboard and mouse input everywhere, or you anonymize none of it. This could make management of dom0 annoying with larger delay times, and it could prevent the user from making use of applications or websites that require input pattern telemetry to function (such as some bank websites). * kloak's configuration options similarly apply globally. One might want a comfortable delay of only 25ms in a domU they expect to be safe, but wish to use an extremely long one like 1000ms in a domU they believe is compromised and actively exfiltrating data. With kloak running directly in dom0, this is impossible. This PR implements a third option - *inserting the functionality of kloak directly into qubes-gui-daemon.* kloak upstream never needs to be involved, only the functionality of it must be. This functionality I have termed "event buffering", and as this implementation works with X server events I have called it "X event buffering", or "xbuf" for short (which is the term used for it in the code). By working inside the GUI daemon, the following advantages are gained: * No evdev support needed at all, we can work with X events instead. * The amount of additional code needed is smaller. * Per-VM application and configuration of X event buffering is now possible - some VMs can use a small, comfortable delay, others can use a very long one, and others can skip delays entirely. * Even if something goes very wrong and buffering prevents the user from inputting anything into any Qube, the user retains control of dom0 and can recover their system from there. * A compromised domU with X event buffering enabled will be less likely to leak valuable biometric info to the malware within the VM. # How it works Most of the code should be fairly self-explanatory. In a nutshell, we use a tail queue to store a list of delayed, scheduled X events. As events come from dom0 to a domU, the event is captured, scheduled for release at a later time, and thrown into the queue. Events in the queue are regularly checked to see if their scheduled release time has arrived, and those events are released when appropriate. The only event we don't buffer is `ClientMessage`, as this event appears to be time-sensitive. It's likely that there are other events that may need to be excluded from interception. The only really tricky part (aside from proper X event handling) is the random delays in the scheduler. The original kloak application used libsodium to provide a convenient entropy source for the scheduler, but we don't have libsodium here and I didn't feel comfortable adding a dependency on it to qubes-gui-daemon. With this in mind, I searched for a small, decently fast PRNG that could be used, and settled on ISAAC, which was public-domain, supposedly cryptographically secure, and easily seeded using `/dev/random`. However, the original code was a bit of a mess and I had to modify it extensively to avoid causing potential naming conflicts or compilation failures. Even in its cleaned up state, it's still a bit rough, and I'm not sure if I chose the best generator for this purpose. This PR is not complete yet (it needs a lot more work to add configuration options, fix bugs, and fully test it, but this is what I have so far. Let me know what you think!

nurmagoz · October 1, 2024, 3:27pm

Isnt this an x11 method which doesnt work with pure wayland environment? i think using libraries like libinput or so better no?

Patrick · October 2, 2024, 4:09pm

This is the old, outdated, given up on approach.

Old approach:

The old approach for Qubes support was to make kloak work in Qubes.
Given up on.

New approach:

Not using evdev in Qubes.
Not using kloak in Qubes.
Based on @DemiMarie advice in QubesOS/qubes-issues#8541:
- The new approach is Add X event buffering for cloaking user input patterns by ArrayBolt3 · Pull Request #149 · QubesOS/qubes-gui-daemon · GitHub which adds kloak-like functionality (not kloak) directly to Qubes GUI daemon.
- Little of that pull request will work in pure Wayland.
  - This is because Qubes GUI agent needs to be rewritten for Wayland support
  - All of this needs to be re-invented for Wayland.
    - As long as Qubes GUI agent isn’t Wayland compatible, there is no way to have kloak-like functionality compatible with Waylnd in Qubes.

Patrick · October 2, 2024, 4:15pm

Patrick · October 5, 2024, 9:12am

Patrick · November 5, 2024, 4:27pm

github.com/Whonix/kloak

Inaccurate and contradictory information about default values

opened 04:12PM - 04 Nov 24 UTC

siliconwaffle

So in the readme, in kloak -h, and in the manpage, all 3 state that the default …maximum delay is 100ms and the default startup timeout is 100ms, when this is just not true. Default max delay is 20ms and default startup timeout is 500ms. Would also like to add that as far as I can tell the majority of people seem to be under the impression that kloak's default max delay is 200ms, I believe either because it might've used to be 200 or because maybe Whonix's default is 200 or perhaps because the readme quotes some numbers from a KeyTrac demo test, which uses a 200ms delay instead of the default. Nonetheless, this is kind of a silly oversight when kloak's **only** feature is keystroke delay. I'm not sure if it would be best to correct the kloak -h and readme and manpage, or if it would be best to adjust kloak's defaults to better match the docs, but I do think one of these two routes should be taken. Line 24 & 25 of src/main.c: `#define DEFAULT_MAX_DELAY_MS 20 // upper bound on event delay` `#define DEFAULT_STARTUP_DELAY_MS 500 // wait before grabbing the input device` Output of kloak -h: `Usage: kloak [options]` `Options:` ` -r filename: device file to read events from. Can specify multiple -r options.` ` -d delay: maximum delay (milliseconds) of released events. Default 100.` ` -s startup_timeout: time to wait (milliseconds) before startup. Default 100.` ` -k csv_string: csv list of rescue key names to exit kloak in case the` ` keyboard becomes unresponsive. Default is 'KEY_LEFTSHIFT,KEY_RIGHTSHIFT,KEY_ESC'.` ` -v: verbose mode`