Hello. First, this project is really amazing and I’m blown away. Thank you Patrick and contributors for maintaining this!
My technical knowledge and understanding of linux and whonix is limited so I hope this question make sense.
For info on tuning Whonix RAM: Kicksecure ™ Tuning
Tuning may give way to less important identifiers: Protocol Leak and Fingerprinting Protection
From the wiki I have gathered by altering default settings of the Virtual Machine, you may expose yourself to certain identifiers because they will not be consistent with others’ default VM setups.
I am currently using VirtualBox to run my WN Gateway and Workstation. I have already experimented and find that increasing RAM of both Gateway and Workstation within the VM (Settings > System > Motherboard > Base Memory) seem to result in a “snappier” and faster feel overall. However, even at 768MB of RAM (default) I am able to run many software processes at once and have had no issues with speed.
Are there any disadvantages to increasing my RAM other than possibly exposing myself to less important identifiers?
-For example, does increasing my RAM leave a bigger footprint in my host OS or internal/external devices after shutting down or is it all contained within the VM?
-Would an adversary with physical access have a longer window and potentially more data to work with?
-If it were possible to run a panic or kill switch to wipe the RAM would it take longer to wipe/obscure?
Or can we apply these questions to how much RAM my CPU has. For example, CPU contains 2GB vs 4GB vs 8GB RAM independent of VM allocation. Will more RAM grant more opportunity for an adversary?
I’m trying to better understand Cold Boot or Evil Maid Attacks outlined: Advanced Security Guide - Whonix
Are there any disadvantages to increasing my RAM other than possibly exposing myself to less important identifiers?
Probably not a topic to worry much about.
-For example, does increasing my RAM leave a bigger footprint in my host OS or internal/external devices after shutting down or is it all contained within the VM?
TODO research (minor)
This means, I am not aware of anyone knowing this and someone would have research, test, check this to find the answer.
-Would an adversary with physical access have a longer window and potentially more data to work with?
TODO research (minor)
-If it were possible to run a panic or kill switch to wipe the RAM would it take longer to wipe/obscure?
TODO research (minor)
Will more RAM grant more opportunity for an adversary?
Probably not.
It does seem very difficult for an adversary to have ideal conditions to execute RAM specific attacks. Maybe the most ideal being they are able to catch you off guard, in a public library, with all your connections and computers actively running before you can shut down and having someone on hand with the tools to perform said attack along with some liquid nitrogen cooling.
Meaning, they’d have to have the specific intent of cold booting your system, rather than just seizing everything they can. Possibly cut the power to the building you’re in and swarm on you before you can react. Or a more deceptive scenario of social engineering themselves into gaining physical access while you are actively using your computer. I wonder how many would warrant this kind of targeting.
In some broad articles I’ve read, countermeasures discussed seem to involve full RAM encryption. Effective and simpler measures discussed focus on stalling for as long as possible allowing for full shutdown and time for RAM to wipe. Having faster DRAM (DDR3, DDR4) may wipe quick enough after a power down. Also implementing an overload script which writes a ton of data to RAM obscuring and making it difficult to analyze may hinder attackers.
As for evil maid attacks, maybe a bios/uefi password would stall some attackers, and/or loading your boot files separately onto a thumb drive which you always carry on your person, and/or blocking access to your hardware by sealing or locking your laptop case.
Anyway, I’ve strayed pretty far from Whonix itself and have gone into extreme threat hypotheticals. I see now why VM RAM allocation is likely a non or very minor issue. Thank you for your responses.