Whonix is developed for use under Virtualbox and QEMU/KVM. I want to discuss if one of them is more protected than the other. Both these hypervisors use kernel drivers for I/O. This is the general overview of an attack for the context of this discussion: a Whonix user connects to an Internet service such as remote SSH server. Whonix is virtualized inside Virtualbox inside one physical computer. SSH server is compromised by an adversary by whatever means it takes and sends a special payload to the Whonix workstation. The payload exploits a vulnerability inside the part of Virtualbox kernel driver made for network data processing for remote arbitrary code execution on host or data exfiltration from the host. The key point of this attack is there is an adversary that can send the Whonix user some data over the Internet in order to do virtualization escape. This is how the threat can be generalized. It doesn’t have to be done exactly over SSH nor should it do through networking stack exploitation though this is the most intuitive method to imagine. I may seem too pessimistic when I assume there are vulnerabilities inside Virtualbox kernel drivers for network data processing. The scenario I highlighted is known to me to be possible only when the attacker has normal program execution access inside the VM as it can be done with CVE-2014-0983. For an example look here: https://www.coresecurity.com/core-labs/publications/breaking-out-virtualbox-through-3d-acceleration.
For the attack scenario I described I assume this is how key components of Virtualbox software are chained together:
Guest OS <-> Guest OS device driver <-> Virtualbox kernel driver
The main phase of exploitation occurs in the VB kernel driver since it is responsible for parsing many types of internal VB data structures such as graphics or network I/O.
I think we can imagine the same chaining in case of QEMU/KVM as both VB and QEMU/KVM live inside kernelmode and usermode of the host simultaneously.
Guest OS <-> Guest OS device driver <-> KVM kernel driver
Is this correct that neither type-1 or type-2 hypervisors provide any inherent security properties that protect against such attacks? How could I protect against such attacks if I wish to use whonix?
Is type-2 hypervisor more safe than type-1 hypervisor?
No, it’s the opposite. Type-1 hypervisors run directly on the hardware without the need for an underlying operating system, thereby reducing the attack surface. This results in increased security and more efficient utilization of resources (security through design).
When it comes to exploiting the GPU, whether through 3D Acceleration in VBox or virtio-gpu in KVM, these are recognized security vulnerabilities holes that Whonix cannot address. However, Whonix does not use or enable these features by default.
More read: Why Use KVM Over VirtualBox?
Or its all over the internet why KVM (hypervisor type-1) more secure than VirtualBox (hypervisor type-2).
I didn’t see much definitive evidence on the Internet or Whonix forums why KVM is more secure in my scenario. QEMU/KVM are said to have better development communities which try to fix common software vulnerabilitie, such as Spectre or Meltdown, in contrast to Virtualbox’s developers, and it doesn’t reflect the topic of my messages. KVM is also said to be very copyleft compliant but VB isn’t. This is not a security issue at all. KVM and VB are even similar by their architecture even though they are called as hypervisors of different type. If you are right that type-1 hypervisors are more secure than type-2 under this model then I think I got it wrong how KVM and VB work on OS level
VirtualBox Integration chapter Whonix VirtualBox versus Other Virtualizers in Whonix wiki
This is a general computer security question and unspecific to Whonix.
Dev/VirtualBox - Kicksecure chapter VirtualBox Open Source vs Closed Source in Kicksecure wiki
Maybe nothing directly. Hardening might help against future exploits but it is of course not guaranteed. Best you can do is attempt to break the exploit chain. That is, not becoming a target in the first place, not have Linux user account “user” compromised, because often vulnerabilities require root or kernel level access.
There is usually no “ah, push that button, run that command” answer possible because it would beg the question why this isn’t the default already.
Better protections most likely require further development which isn’t likely without contributors working towards it inside and outside of Whonix. Related:
Don’t get hung up on the stupidity of type 1 vs 2 semantics. A badly written type 1 can be worse then a well written type 2 and vice versa. Now to answer the question itself, it is not clear what category KVM falls under since it has a unique hybrid design: virtualization - Is KVM a type 1 or type 2 hypervisor? - Server Fault
My biased opinion on the VBox vs KVM question is on the wiki page with sources, but it has little to nothing to do with type 1 vs 2.
You throw around terms without any attention to details. There are two paravirtual modes for KVM devices - virtio and vhost. The latter is kernel based and is therefore better performing however it sacrifices the isolation methods that virtio is placed under as regular user process, subservient to the kernel and its user-acess isolation mechanisms. I always selected guests run with virtio. VBox has been adopting virtio as well, but I have no idea how well it is integrated in their code.