tl;dr: Users of some hypervisors (VirtualBox, Qubes) may be distinguishable from users of other systems based on keyboard and mouse timing related fingerprinting. KVM (in at least some configurations) appears to be unaffected.
While fiddling with getting kloak to work on Qubes OS, I stumbled into some interesting behavior. I opened vmonaco’s device fingerprinting test (Device Fingerprinting) inside a whonix-workstation-17-dvm, typed around for a bit, and almost immediately saw the keydown graph develop eight very prominent “spikes”, each one with a value that was some multiple of 60Hz. This, according to the page, acted as a “device fingerprint”. This was obviously a bit worrying, so I tried turning on kloak and took the test again, and the test obtained a very similar fingerprint.
I then tested Whonix + VirtualBox on top of Kubuntu 24.04. This gave similar results - multiple spikes with values that were multiples of 60Hz appeared very quickly and kloak did not prevent them from being recognizable.
Kloak is intended to obfuscate user input rhythms (typing and mouse movements). The way kloak works is it intercepts keyboard and mouse events, places them in a queue, and schedules them for release at some time in the future. The specific time at which events are released has high-quality random jitter added to it. with the goal of making it difficult to obtain meaningful information by observing event timings.
In order to determine when to release an event, kloak uses an OS-provided clock (the current released version of kloak uses the realtime clock, future versions should use the monotonic clock to avoid keyboard lockups if the realtime clock goes backwards). Because the system’s clock is used for all event releases, a high-precision, high-frequency timer is beneficial. With a low-resolution timer, kloak will always release events at certain specific intervals correlating with the interval of the timer.
This is probably what’s causing Virtualbox and Qubes (Xen) to be easily fingerprintable - I would guess their clocks are not as high-frequency as a hardware clock would be. This would explain why inside VMs, a fingerprint is easily obtained with or without kloak, but on my physical Kubuntu 24.04 machine a fingerprint is only easily obtained without kloak and is much harder to obtain with kloak.
Interestingly, I launched a Lubuntu 24.04 VM using KVM (qemu-system-x86_64 -m 4G -smp 2 -enable-kvm -cdrom=/path/to/lubuntu.iso
), then opened vmonaco’s fingerprinting test there, and even without kloak it had a hard time getting a good fingerprint. Possibly KVM is providing a higher-frequency clock or maybe even passing through the system’s clock. Virtualization overhead would then introduce some jitter of its own which would explain why it couldn’t get a fingerprint very well. Not entirely sure if this is what’s happening, but it seems plausible to me.