Testers Wanted!

Download the 15.0.0.8.7 release of Whonix KVM:

Download Kicksecure KVM:

Alternatively, in-place release upgrade is possible upgrade using Whonix testers repository.

Highlights

• Add vanguards, which protects against guard discovery and related traffic analysis attacks and fixes CVE-2020-8516 Hidden Service deanonymization.
• Implement TCP ISN CPU Information Leak Protection to prevent de-anonymization of Tor onion services by installing Tirdad kernel module for random ISN generation.
• Extensive security hardening and updated packages.

This release would not have been possible without the numerous supporters of Whonix!

Please Donate!

Please Contribute!

Notable Changes

• Add vanguards - protects against guard discovery and related traffic analysis attacks.
  • CVE-2020-8516 Hidden Service deanonymization

    • The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information.

    • vanguards fixes this
  • use vanguards from packages.debian.org
  • enable vanguards by default, install by default
  • added vanguards documentation
  • vanguards - Additional protections for Tor Onion Services - #11 by Patrick
• Implement TCP ISN CPU Information Leak Protection.
  • TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
    • An analysis of TCP secure SN generation in Linux and its privacy issues
    • Tirdad kernel module for random ISN generation
    • Tor Project bug report: Add research idea for Linux TCP Initial Sequence Numbers may aid correlation
    • research paper: Hot or not: revealing hidden services by their clock skew
    • Whonix ticket
  • Install tirdad by default.
• security-misc - Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings
  • add security-misc documentation of stable security features, testing security features and experimental security features
  • experimental SUID Disabling and Permission Hardening
    • A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running systemctl enable permission-hardening.service as root.
    • SUID Disabler and Permission Hardener
    • harden ping
  • git diff a99dfd067ac8a43bdcd779cf57b3533bdaa404fb 163e20b886f298cb9d3aca54c14f66991001b396 (diff to huge for github)
  • Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. (This is interesting when using security-misc or Kicksecure.)
  • unconditionally enable all CPU bugs (spectre, meltdown, L1TF, …) this might reduce performance (This is interesting when using security-misc on the host or using Kicksecure as host operating system.)
    • spectre_v2=on
    • spec_store_bypass_disable=on
    • tsx=off
    • tsx_async_abort=full,nosmt
    • Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicability
  • The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
  • Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
  • Page allocator freelist randomization is enabled.
  • The vivid kernel module is blacklisted as it’s only required for testing and has been the cause of multiple vulnerabilities.
  • An initramfs hook sets the sysctl values in /etc/sysctl.conf and /etc/sysctl.d before init is executed so sysctl hardening is enabled as early as possible.
  • The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
  • Improve Entropy Collection
    • Load jitterentropy_rng kernel module.
    • Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
      • (Disable trusting RDRAND)
      • random.trust_cpu=off
      • RDRAND - Wikipedia
      • https://twitter.com/pid_eins/status/1149649806056280069
  • remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and noexec (opt-in). To disable this, run “sudo touch /etc/remount-disable”. To opt-in noexec, run “sudo touch /etc/noexec” and reboot (easiest). Alternatively file /usr/local/etc/remount-disable or file /usr/local/etc/noexec could be used.
    • Experimental. Not enabled by default.
    • (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?
    • More work needed. Help welcome!
  • fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live
  • fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
  • do show lxqt-sudo password prompt if there is a sudoers exception
  • improved pkexec wrapper logging
  • installation fix in case when user “user” does not exists
  • better output if trying to login with non-existing user
  • add user “user” to group “console” in Whonix and Kicksecure
  • Lock user accounts after 50 rather than 100 failed login attempts.
• Linux Kernel Runtime Guard (LKRG)
  • Protect your System Security. Kernel Security Hardening.
  • Kills whole Classes of Kernel Exploits. Linux Kernel Runtime Integrity Checking and Exploit Detection.
  • easy installation (sudo apt install lkrg) for users of Whonix, Kicksecure.
  • also available for Debian hosts
  • also available for Qubes OS Debian templates and Qubes-Whonix
  • work with LKRG upstream to fix LKRG VirtualBox host support
  • packaging enhancements, Any standard Debian build tools can be used. For example. Quick and easy. “dpkg-buildpackage -b”
  • Disable “System is clean!” message to avoid spamming dmesg and tty1.
  • tirdad compatibility
  • Installation by default in Whonix and Kicksecure probably in one of the next stable releases.
• console lockdown
  • Allow members of group ‘console’ to use console. Everyone else except members of group ‘console-unrestricted’ are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Using pam_access.
• Protect Linux user accounts against brute force attacks.
  • Lock user accounts after 50 failed login attempts using pam_tally2.
• update Tor to version 0.4.2.6-1
  • (tor_0.4.2.6-1~d10.buster+1_amd64.deb from deb.torproject.org)
  • Tor 0.4.25 release how can we upgrade
  • Onion Services DDOS Defense Tor 0.4.2.5
• full /etc/torrc.d/*.conf configuration snippet drop-in folder support
  • torrc.d cleaner
• update Tor Browser to version 9.0.4
• work on hardened Linux kernel for VMs and hosts
  • build CI builds on Travis CI
  • but integration with APT and packaging not done. Help welcome!
• VirtualBox
  • upgrade VirtualBox to 6.1.2
    • get VirtualBox from Debian sid and recompile for Debian buster
  • revert to vmsvga grapics controller settings due to issues
• work on fixing arm64 / RPi builds but not finished. Help welcome!
• Onion Services Authentication
  • document Onion Services Authentication for v3 onions
  • anon-auth-autogen(8) – Tor Authenticated Onion Service Configuration Generator
  • anon-server-to-client-install(8) – Tor Authenticated Onion Service “.auth_private” file (private key) Server to Client Installer
  • Onion Services Authentication
• No longer install serial-console-enable by default due to issues. See also Serial Console.
• No longer install firejail by default because of these reasons.
• development of apparmor-profile-everything - AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.
  • Comparing f3140ea2153fcee68a901ef0c86d552d6fa0ec3e...ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be · Kicksecure/apparmor-profile-everything · GitHub
  • Comparing ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be...63fdd0312a81f878d266ae9197803ccbd6bc18df · Kicksecure/apparmor-profile-everything · GitHub
  • but more work is needed such as multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode before it gets installed by default
• corridor - Tor traffic whitelisting gateway and leak tester
  • merge upstream changes
  • and improved Debian host support
• grub-live - Boot your existing, installed Debian Host into Live Mode with GRUB LIVE
  • usability, output enhancements
  • Whonix ™ Live Mode - Stop Persistent Malware
  • added compatibility with restrict hardware information to root for Live Mode Indicator Systray
  • fixed Live Mode Indicator Systray to detect ro-mode-init
• Hardened Malloc - Hardened Memory Allocator for many Applications to increase Security. Debian packaging fork only.
  • packaging enhancements, no longer depend on genmkfile, fix, use same version number as upstream (2.0)
• fix
  • numerous apparmor profile enhancements
  • disksd[572]: failed to load module crypto: libbd_crypto.so.2: cannot open shared object file: No such file or directory
  • onioncircuits started from tor-control-panel by running it under user debian-tor rather than root
• remove Whonix specificity (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands)
• dsudo - add sudo askpass wrapper for automated testing
  • I.e. as long as password is set to changeme one can use dsudo and will not be asked to enter the default password.
• kloak
  • Keystroke-level online anonymization kernel: obfuscates typing behavior at the device level.
  • against Keystroke Deanonymization
  • packaging enhancements, no longer depend on genmkfile, can be build using standard Debian packaging tools, apparmor enhancements
• Qubes-Whonix
  • refactoring /usr/lib/qubes-whonix/init/network-proxy-setup
  • Qubes-Whonix Security Disadvantages - Help Wanted!
• swap-file-creator
  • Added ENOUGH_RAM setting which defaults to 1950 MB RAM. If there is more than enough RAM, no swap file will be created.
  • fix Non-Qubes-Whonix Whonix-Gateway slow boot
• Tor Browser Starter / Downloader by Whonix developers
  • Disable security slider question at first start since broken
  • Check for noexec.
  • Remount exec.
  • work on Qubes DispVM exec / noexec
• whonix-firewall: fix, don’t lock down network if IPv6 isn’t available and thereby no need to firewall, apparmor profile added in complain mode
• research and documentation of entropy / randomness generation
• created debug-misc - Opt-in package which enables miscellaneous debug settings for easier debugging. (Replaces grub-output-verbose.)
• No more verbose output during boot to prevent kernel info leaks.
• Rebrand Whonix as a research project.
  • old: “Whonix is experimental software. Do not rely on it for strong anonymity.”
  • new: “Whonix is a research project.”
• i2p inside Whonix-Workstation fixes etc

Full difference of all changes

diff too large for github to show, therefore split into two:

• https://github.com/Whonix/Whonix/compare/15.0.0.7.1-developers-only...15.0.0.8.0-developers-only
• https://github.com/Whonix/Whonix/compare/15.0.0.8.0-developers-only...15.0.0.8.7-developers-only

About Whonix

Whonix is being used by Edward Snowden, journalists such as Micah Lee, used by the Freedom of the Press Foundation and Qubes OS. It has a 7 years history of keeping its users safe from real world attacks. [1]

The split architecture of Whonix relies on leveraging virtualization technology as a sandbox for vulnerable user applications on endpoints. This is a widely known weakness exploited by entities that want to circumvent cryptography and system integrity. Our Linux distribution come with a wide selection of data protection tools and hardened applications for document/image publishing and communications. We are the first to deploy tirdad, which addresses the long known problem of CPU activity affecting TCP traffic properties in visible ways on the network and vanguards, an enhancement for Tor produced by the developers of Tor, which protects against guard discovery and related traffic analysis attacks. Live Mode was recently added. We deliver the first ever solutions for user behavior masking privacy protections such as Kloak. Kloak prevents websites from recognizing who the typist is by altering keystroke timing signatures that are unique to everyone.

In the future we plan to deploy a hardened Linux kernel with the minimal amount of modules needed to get the job done, an apparmor profile for the whole system, as well as LKRG, the Linux Kernel Runtime Guard, which kills whole classes of kernel exploits.

[1]

• https://twitter.com/Snowden/status/1165607338973130752 [archive]
• https://twitter.com/snowden/status/781495273726025728 [archive]
• https://twitter.com/Snowden/status/1175435436501667840 [archive]
• Micah Lee, Journalist and Security Engineer at The Intercept and Advocate for Freedom of the Press, Developer of OnionShare and Tor Browser Launcher. [archive]
• SecureDrop Journalist Workstation environment for submission handling is based on Qubes-Whonix [archive]
• History
• Whonix - Wikipedia [archive]
• https://www.qubes-os.org [archive]
• Whonix Protection against Real World Attacks

Tested , worked smoothly!

Standard upgrade (includes kernel upgrade) functional?

Separately, can you upgrade as per

too?

LKRG installation on gateway also does not freeze VM?

tirdad might not survive kernel upgrade unfortunately due to DKMS issues?

If lucky, kvm is unaffected by low RAM vs kernel module DKMS build issue that VirtualBox version is affected by.

Unfortunately I had obliterated my 7.1 install. I never test in-place upgrades. @nurmagoz can you please test an in-place upgrade with apt on Whonix GW and report if LKRG successfully compiles and runs?

I meant could you please take this very version 15.0.0.8.7 and test in-place upgrades, kernel upgrade and LKRG on gateway?

Sure. What commands should I run?

sudo apt update
sudo apt install lkrg
sudo apt dist-upgrade
sudo reboot

and then this:

whonixcheck --verbose

Doesn’t work.

The instructions should install the headers first, but that’s not what’s wrong here.

Update:

sudo dkms status shows recompiled modules for lkrg, tirdad as installed, but lsmod indicates they never load. Same outcome with more RAM so this is not the problem.

KVM Kicksecure has no internet access for me. There is no problem with KVM Whonix on the same box, or other VMs also using the default network adapter. I have restarted the physical computer, deleted the qcow2 image, and placed the newly extracted one in again. However, it still does not ping or update.

When doing updates, it tries to use Tor. Both tor.service and tor@default.service are running successfully in systemd somehow, but there is still no access to the internet. How would I begin to troubleshoot it?

It’s not DNS, because pinging 8.8.8.8 also does not work.

Please check the status of the default network under VMM -> edit -> connection details -> virtual networks.

It should be active and set to autostart on boot. Odds are it is not on your machine.

It is there and set to auto start. I remember defining ‘default’ when I set up Whonix, in addition to Whonix-External and Whonix-Internal networks.

virsh -c qemu:///system net-autostart default
virsh -c qemu:///system net-start default

I know it works, because other VMs have used ‘default’ with internet access (just tested Ubuntu). I’m not sure what the issue could be.

Btw these are installed by default in Whonix / Kicksecure.

Yes, that’s not a low RAM issue.

Indeed. Created DKMS kernel modules (LKRG and tirdad) fail to properly recompile on kernel upgrade for it.

It seems to need the corresponding kernel version’s headers. You’ve seen and reported the problem with bpo2 kernel pulling in bpo3 headers.

HulaHoop via Whonix Forum:

It seems to need the corresponding kernel version’s headers.

Stable kernel image and headers are installed by default form Debian
buster repository.

You’ve seen and reported the problem with bpo2 kernel pulling in bpo3 headers.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951315 is only a
problem in context of Linux Kernel i.e. using
Debian kernel from buster-backports.

2 posts were split to a new topic: Kicksecure Network Configuration