Survey: consideration to drop VirtualBox support for Linux users

[html]

TLDR:

As a Linux user(!), would you mind to use Whonix with KVM instead of VirtualBox?

How important is VirtualBox to you, if you could use KVM instead?

What features in VirtualBox do you believe are superior to KVM?

Which things in KVM do you dislike?

Long:

This one needs user feedback.

First of all, relax. Nothing has been decided yet. I am just thinking aloud. Without the controversy, there can not be real progress.

Maybe it is too early to even think about this yet, because running Whonix in KVM development hasn’t finished yet. However, if development continues at current speed, I predict it won’t be long until we can open it up for wider testing.

On of Whonix’s biggest usability failures is, that no easy, secure and recommend way to get files inside a VM and how to backup from VMs. We only have a list of methods (https://www.whonix.org/wiki/File_Transfer) but none of these is ideal.

Jason just started a very much needed development discussion about this. (https://github.com/Whonix/Whonix/issues/131) I added an overview of current status and thoughts to that thread.

Moreover I tried to come up with usable, yet secure solution, that is.

Windows users:

• - recommend to use USB extensions
• - they’re using lots of closed source software already anyway
• - they’re downloading and blindly trusting VirtualBox in binary form from oracle without gpg verification already anyway, the closed source USB extensions shouldn’t make it any worse
• - we add screenshot / video instructions for installing and using this feature
• - file transfer question solved

Linux users:

• - recommend to use KVM over VirtualBox
• - they’re accustomed to using more difficult solutions already anyway
• - there are reasons for Use KVM Over VirtualBox anyway
• - if this solution is as simple as it seems, file transfer issue would be solved

Thoughts?

I need to remind myself… Arguments for keeping VirtualBox Support Still valid?

Now, what does “drop VirtualBox support” mean? Nothing is as bad as it looks. Since VirtualBox support has been implemented for long, is stable, needs very little maintenance and has be maintained for Windows users anyway because on Windows KVM is unavailable… We won’t stop producing VirtualBox builds. Just, for Linux users the default and recommend way to use Whonix will be KVM, not VirtualBox. KVM will be better tested. Running Whonix in VirtualBox will still be possible. But… When the question arrives, “On a Linux host, what is the best way to transfer files between host and VM”, answer will be “use Whonix with KVM”.

[/html]

I’m not familiar with KVM, but will throw my experience with VirtualBox Whonix into the mix here.

Been using VirtualBox Whonix on a Debian 64-Bit host for the past couple years.

On the host machine, I constantly run over a dozen simultaneous Whonix VMs (gateways + workstations), along with a few other Debian VMs.

Each Whonix VM is used for seperate computing functions/purposes, where total identity isolation is needed.

I have solved the file transfer problem with the SSH Hopping method via a shell script on my host to help streamline the process into the various Whonix VMs.

Overall the setup works out quite well, where I can access several Whonix desktops on the fly at once and relatively easily transfer files between Host and VMs and VM to VM.

All I use my Debian host machine for is to host and directly access my several VMs in VirtualBox, including Whonix VMs on the host monitor.

Another important thing is I use full disk encryption for the Debian host as well.

I’m not sure if KVM would install within a host operating system, like my existing Debian host. Or if it replaces the host operating system as a hypervisor where I would have to reinstall on my machine.

If I can accomplish the key things I need and would have a better, more secure system on KVM, then I’d be for it.

I need:

• Multiple Simultaneous Whonix and Debian VMs
• Convenient File Transfer Between VMs
• Strong Full Disk Encryption on the base OS

Some thoughts:

Now, what does “drop VirtualBox support” mean? Nothing is as bad as it looks. Since VirtualBox support has been implemented for long, is stable, needs very little maintenance and has be maintained for Windows users anyway because on Windows KVM is unavailable… We won’t stop producing VirtualBox builds. Just, for Linux users the default and recommend way to use Whonix will be KVM, not VirtualBox. KVM will be better tested. Running Whonix in VirtualBox will still be possible.

From my perspective this is very important. That is to say, I wouldn't support a complete drop of VirtualBox on Linux. First and foremost, http://www.linux-kvm.org/page/FAQ#What_do_I_need_to_use_KVM.3F tells me (disclaimer: I'm not familiar with KVM (yet)) that KVM urgently needs Intel VT and/or AMD-V. This is a showstopper! While Whonix certainly performs better with hardware virtualization, we shouldn't drop support for lower-end machines on Linux (especially not on Linux). We are looking at it from a "developed" world, i.e. from a biased perspective. I'm thinking about users from "developing" countries here (prospective "Whonix Light" users) without access to high-end machines. Thinking this further, these people are (from a financial perspective alone) very much dependent on a Linux Host OS.

That is not to say that I do not agree with the advantages of using KVM on Linux (by reading your arguments). I’m just trying to point out the drawbacks here (mostly social - see below, technically - hardware virtualization only = big no go!).

Social: Another drawback of such a decision (even the recommendation to use KVM over VirtualBox on Linux + implications) imho is this: Patrick publicly stated several times already that a major goal of the Whonix Project is widescale adoption of Whonix OS (as widescale as it gets, that is). From my perspective, dropping support for VirtualBox on Linux highers the opportunity cost switching to Linux as a host OS (for a newbie/Windows user that is) …

Linux users: they’re accustomed to using more difficult solutions already anyway

While it's true that geeks (Patrick, Jason, me, others) have Linux running on a toaster (certainly all self-built), this imho isn't the target group we should be worried about here. If I were a maintainer of Whonix, a major goal of the Project would be to migrate as much of its users to a full-FDE Linux host OS (away from Windows) and actively promote this wherever possible. Let's be realistic here, running Whonix OS on top of a Windows host OS is crazy to say the least. If one has the slightest idea of IT security, one knows that pwning a Windows PC (and I mean a totally random Windows PC here) is a piece of cake. Furthermore, Windows XP is nearing EOL and it has a huge marketshare. Now, if some user gets a first idea of using Whonix OS through VirtualBox on Windows, the decision to support (or much worse, from a longer perspective, produce) a VirtualBox version of Whonix OS on Linux, will imho lead to a much higher percentage of users sticking to a Windows host OS. This is bad!

That would work.

[quote=“graymatter, post:2, topic:175”]If I can accomplish the key things I need and would have a better, more secure system on KVM, then I’d be for it.

I need:

• Multiple Simultaneous Whonix and Debian VMs
• Convenient File Transfer Between VMs
• Strong Full Disk Encryption on the base OS[/quote]
  Would all be possible with KVM.

A good point raised on whonix-devel mailing list by M. Edward (Ed) Borasky was, that VirtualBox is not in Fedora repository for licensing reasons, but KVM is.

Nevertheless, I have to agree with a few of Cerberus’ points.

KVM urgently needs Intel VT and/or AMD-V. This is a showstopper!

If Intel VT and/or AMD-V is a requirement, that is indeed a showstopper. Maybe. I am not entirely sure about this. Other than Tails, Whonix started without the requirement to support the least performance systems. Getting rid of legacy resulted in simplification and accelerated development. Whonix filled up a certain niche.

Some hard data about how widespread Intel VT and/or AMD-V is (not) in different countries would help.

Maybe while we’re adding KVM support, we can also add Qemu support? Maybe Qemu is a substitute for systems without Intel VT and/or AMD-V? Perhaps there is even a wrapper that autodetects Qemu/KVM?

Let's be realistic here, running Whonix OS on top of a Windows host OS is crazy to say the least.

I generally agree. Perhaps it also depends against which adversary you're up? I guess if you're in a non-US controlled country, Windows works better than in US controlled countries? Sure, Linux would still be better.

Windows XP is nearing EOL and it has a huge marketshare

What impact will that have? I guess a huge share will stick with it anyway, others will upgrade, some will buy new hardware to run more recent Windows, a minority will switch to Linux.

Now, if some user gets a first idea of using Whonix OS through VirtualBox on Windows, the decision to support (or much worse, from a longer perspective, produce) a VirtualBox version of Whonix OS on Linux, will imho lead to a much higher percentage of users sticking to a Windows host OS. This is bad!

I wouldn't be surprised if most Whonix users are using Whonix on Windows hosts. Dropping support for Windows would result in a few switching to Linux. Getting transition done faster. On the other hand, in longer term, without having any Whonix available on Windows, users will just stick to the usual rat out services. Whonix is a good advertisement for and a good way to get to know Linux.

I have a long standing improvement on my todo list. Using Whonix-Gateway to fingerprint its host. And when it’s Windows, educate and warn about it. Also having some “remind me in 3 days | remind me later | do not remind me” thing could help. That fingerprinting could be difficult. I thought about using nmap’s os fingerprinting feature on the virtual LAN to the host. Haven’t had success yet. A simpler implementation could be to just ask the user what it’s host operating system is and use that. Or have a Windows version, that has some status_file that indicates, that this has been downloaded by a Windows user (maintenance overhead).

while there is some truth about the insecurity of windows, I don’t believe it to be a valid argument too much.

The truth is, most people use Windows and minority & advanced users use Linux. Other than being a closed source and a potentially backdoored operating system, I believe for many (if not most) people it might be better to use Windows as a host operating system. Why?

1- Ease of use, cost of use (time,resource) is usually more important than using the more/most secure system. The best would be the combination of them (Qubes + Windows-Whonix-… etc ?)
2- In Windows, there are much more (+easy to use) already built programs-tools to have a better control over most of the things (network requests, program permissions, etc.)
3- Even when 2 is false, consider the required knowledge to have the same control level over Linux. GUI is a different big topic.
3- The weak point is almost always the user, not the operating system itself. Windows being insecure is generally the result of the dumbness of users, which are the majority.
4- Recently released programs are making Windows the most secure it has ever been, Windows could be very secure-private when used with right tools such as EMET, HIPS, firewall, anti-loggers, DNS proxy, exploit blocker, IP list blocker, etc.

Edit: We could suggest the simplest and most effective approaches for Windows users (assuming majority of the Whonix users are them) such as:

1- protecting VirtualBox processes with the latest EMET release (which would effectively block any zero-day exploit)

2- firewall whitelisting for VirtualBox.exe with Tor IP list (i.e. same thing as corridor?).

Optionally:

3- Using an IP blocker such as PeerBlock with major lists enabled. This is very effective, some examples:

• Block every IP 0.0.0.0-255.255.255.255, only allow Tor IPs and/or other mostly used services/websites.
• Use Microsoft block list, which would block any call-home.
• Use Bogon block list.
• Use major block lists which include most governments, corporations, etc. (i.e. Big Brother)

The real gain is combining such different security layers so even if one or some of them gets passed, passing all of them is very difficult.

You can’t ship “hardened Windows” or any Windows at all due to licensing. ReactOS is still far far away.