Red Team Lab Security Audit?

Now that Whonix is a decade old and widely respected, stable, and has an increasing user-base, one major issue is outstanding - an official security audit.

In light of recent security audits undertaken by OTF of OnionShare and the like, it is worth reaching out to see if they would consider Whonix as a suitable audit candidate.

The Whonix platform explicitly fits the bill of their Red Team Lab goals:

The Red Team Lab is one of several in-kind services offered by OTF. Through the Red Team Lab, OTF strives to accomplish the following:

  • To strengthen the security of open-source internet freedom software by providing auditing services. The lab offers third-party services focused on improving the software security of projects that advance OTF’s internet freedom goals. Audits ensure that the code, data, and people behind the tools have what they need to create a safer experience for people experiencing repressive information controls online.
  • To engage in public safety audits. This allows the lab to audit and reverse-engineer potential malicious apps deployed by governments or state-sponsored actors, which may be putting users at risk through a grave privacy and security overreach.

The lab will prioritize supporting the following projects:

  • Internet freedom efforts, tools, and software currently or previously supported by OTF
  • Efforts that fit within OTF’s remit, but for various reasons, may not be current or previous recipients of OTF funding

Projects the Lab seeks to support

Some examples of applications the Red Team Lab will review are the following:

  • An Internet freedom project seeking a security audit of their software
  • An Internet freedom project looking for short-term support for remediation of known vulnerabilities
  • An internet freedom project looking for a security architecture and design review in the early stages of a project from a trusted and capable third party

The ideal applicant is a software developer, project lead, systems administrator, or an information security technologist who can speak on behalf of a software project that has the ability to adequately respond to and maintain the lab’s output after the support is concluded.

In other words, Whonix would be a perfect candidate. Why not make contact?


Can this issue be revisited?
I started filling the form and although I can write everything, I feel this would be better written by someone with an overall knowledge of the project.

  • Describe your project in a few sentences.
  • What is the big challenge your project is trying to address or solve?
    • Insecurities in torifying applications via other methods, as tor is not enforce. Whonix enforces this because the only way to connect to the internet from the Workstation is through the Gateway. MORE THINGS HERE.
  • How is your project advancing free expression online directly or indirectly for those being repressed?
    • Providing a security by isolation software of a Workstation interacting solely with a Gateway that controls the connection to the Tor network. Anyone can use Tor Browser to surf on tyrannical regimes. MORE THINGS SHOULD BE INCLUDED HERE.
  • Who does your project help, who are the users, and how many of them are there?
    • Help users who use Qubes with Whonix as a qube that can be installed on the first boot. Also helps anyone that uses Tor. MORE THINGS SHOULD BE INCLUDED HERE.
    • Outdated census, Whonix ™ Census, Investors - Whonix
  • How much will it cost in USD? If you are seeking support from one of our service partners, leave the amount blank or put in zero. If you are a service partner, put in your estimate and then update this with the actual later.
    • 0?
  • What are the key objectives, outputs, or ideal scope of work you expect? A quick list is acceptable.
    • I expect malware that infects the Workstation to bypass the Gateway proxy.
  • What is the ideal timeline from start to finish?
    • 3 months? IDK
  • Please provide links to any source code repositories, app stores where the app is found, or if not publically available, how you will make them available to service partners.
  • If any special hardware or unique infrastructure is required to conduct this effort, please describe it here
    • Qubes, KVM, VirtualBox
  • If the project has been audited before, please briefly describe the scope and outcome of those assessments, providing links to reports if available.
    • No audits as far as I know

Or maybe focus on kicksecure defenses.


You mean maybe audit the RAM wipe feature only? That would be interesting. It’s a complex enough task to warrant it and would be a huge contribution that otherwise is unlikely to happen anytime soon. Also a more straight forward task for “hello”.

We’d need to add an extra chapter giving hints how to audit such a feature? Nothing new. Replicating the same method(s) the original cold boot attack authors described and performed in their paper.

  1. Should wait until this feature hits stable? It’s not much tested yet. Not even by me.

  2. Should wait for the future design to get implemented?

1 Like

Yes and yes. Not in the stable repo so maybe not even good to analyzed at this point, just something I think would be good if audited.

You mean maybe audit the RAM wipe feature only?

Yes, I also think this work is niche but will possible be very hard.

1 Like