This is a point release.
Download Whonix for VirtualBox:
Alternatively, in-place release upgrade is possible.
Highlights
- Add vanguards, which protects against guard discovery and related traffic analysis attacks and fixes CVE-2020-8516 Hidden Service deanonymization.
- Implement TCP ISN CPU Information Leak Protection to prevent de-anonymization of Tor onion services by installing Tirdad kernel module for random ISN generation.
- Extensive security hardening and updated packages.
This release would not have been possible without the numerous supporters of Whonix!
Please Donate!
Please Contribute!
Notable Changes
- Add vanguards - protects against guard discovery and related traffic analysis attacks.
- CVE-2020-8516 Hidden Service deanonymization
-
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information.
- vanguards fixes this
-
- use vanguards from packages.debian.org
- enable vanguards by default, install by default
- added vanguards documentation
- vanguards - Additional protections for Tor Onion Services - #11 by Patrick
- CVE-2020-8516 Hidden Service deanonymization
- Implement TCP ISN CPU Information Leak Protection.
- TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
- An analysis of TCP secure SN generation in Linux and its privacy issues
- Tirdad kernel module for random ISN generation
- Tor Project bug report: Add research idea for Linux TCP Initial Sequence Numbers may aid correlation
- research paper: Hot or not: revealing hidden services by their clock skew
- Whonix ticket
- Install tirdad by default.
- fix compilation using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it)
- TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
- security-misc - Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings
- add security-misc documentation of stable security features, testing security features and experimental security features
- experimental SUID Disabling and Permission Hardening
- A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running
systemctl enable permission-hardening.service
as root. - SUID Disabler and Permission Hardener
- harden ping
- A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running
git diff a99dfd067ac8a43bdcd779cf57b3533bdaa404fb 163e20b886f298cb9d3aca54c14f66991001b396
(diff to huge for github)- Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. (This is interesting when using security-misc or Kicksecure.)
- unconditionally enable all CPU bugs (spectre, meltdown, L1TF, âŠ) this might reduce performance (This is interesting when using security-misc on the host or using Kicksecure as host operating system.)
spectre_v2=on
spec_store_bypass_disable=on
tsx=off
tsx_async_abort=full,nosmt
- Should all kernel patches for CPU bugs be unconditionally enabled? Vs Performance vs Applicability
- The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
- Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
- Page allocator freelist randomization is enabled.
- The vivid kernel module is blacklisted as itâs only required for testing and has been the cause of multiple vulnerabilities.
- An initramfs hook sets the sysctl values in /etc/sysctl.conf and /etc/sysctl.d before init is executed so sysctl hardening is enabled as early as possible.
- The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
- Improve Entropy Collection
- Load jitterentropy_rng kernel module.
- Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
- (Disable trusting RDRAND)
random.trust_cpu=off
- RDRAND - Wikipedia
- https://twitter.com/pid_eins/status/1149649806056280069
- remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and noexec (opt-in). To disable this, run âsudo touch /etc/remount-disableâ. To opt-in noexec, run âsudo touch /etc/noexecâ and reboot (easiest). Alternatively file /usr/local/etc/remount-disable or file /usr/local/etc/noexec could be used.
- Experimental. Not enabled by default.
- (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?
- More work needed. Help welcome!
- fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live
- fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
- do show lxqt-sudo password prompt if there is a sudoers exception
- improved pkexec wrapper logging
- installation fix in case when user âuserâ does not exists
- better output if trying to login with non-existing user
- add user âuserâ to group âconsoleâ in Whonix and Kicksecure
- Lock user accounts after 50 rather than 100 failed login attempts.
- Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key.
- remove-system-map: use shred instead of rm
- Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
- Captcha Check
- efi: Allow disabling PCI busmastering on bridges during boot - kernel/git/torvalds/linux.git - Linux kernel source tree
- Only allow symlinks to be followed when outside of a world-writable sticky directory, or when the owner of the symlink and follower match, or when the directory owner matches the symlinkâs owner. Prevent hardlinks from being created by users that do not have read/write access to the source file. These prevent many TOCTOU races.
fs.protected_symlinks=1
fs.protected_hardlinks=1
- Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl which has been used in exploits before such as CVE-2017-2636: Exploit the race condition in the n_hdlc Linux kernel driver | Alexander Popov
- LKML: Greg Kroah-Hartman: [PATCH 4.14 15/69] tty: ldisc: add sysctl to prevent autoloading of ldiscs
dev.tty.ldisc_autoload=0
- Linux Kernel Runtime Guard (LKRG)
- easy installation (
sudo apt install lkrg
) for users of Whonix, Kicksecure. - also available for Debian hosts
- also available for Qubes OS Debian templates and Qubes-Whonix
- work with LKRG upstream to fix LKRG VirtualBox host support
- packaging enhancements, Any standard Debian build tools can be used. For example. Quick and easy. âdpkg-buildpackage -bâ
- Disable âSystem is clean!â message to avoid spamming dmesg and tty1.
- tirdad compatibility
- Installation by default in Whonix and Kicksecure probably in one of the next stable releases.
- fix compilation using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it)
- Auto load LKRG after installation. Since LKRG now supports module parameters and VirtualBox host support, it can be automatically started after installation since it would no longer kill VirtualBox VMs running on a host.
- easy installation (
- console lockdown
- Allow members of group âconsoleâ to use console. Everyone else except members of group âconsole-unrestrictedâ are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Using pam_access.
- Protect Linux user accounts against brute force attacks.
- Lock user accounts after 50 failed login attempts using pam_tally2.
- update Tor to version
0.4.2.6-1
- (
tor_0.4.2.6-1~d10.buster+1_amd64.deb
from deb.torproject.org) - Tor 0.4.25 release how can we upgrade
- Onion Services DDOS Defense Tor 0.4.2.5
- (
- full
/etc/torrc.d/*.conf
configuration snippet drop-in folder support - update Tor Browser to version
9.0.5
- work on hardened Linux kernel for VMs and hosts
- build CI builds on Travis CI
- but integration with APT and packaging not done. Help welcome!
- VirtualBox
- work on fixing arm64 / RPi builds but not finished. Help welcome!
- Onion Services Authentication
- No longer install serial-console-enable by default due to issues. See also Serial Console.
- No longer install firejail by default because of these reasons.
- development of apparmor-profile-everything - AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.
- Comparing f3140ea2153fcee68a901ef0c86d552d6fa0ec3e...ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be · Kicksecure/apparmor-profile-everything · GitHub
- Comparing ffbe4873836b7bc364f3bfee1fef56ba8fd9b0be...63fdd0312a81f878d266ae9197803ccbd6bc18df · Kicksecure/apparmor-profile-everything · GitHub
- but more work is needed such as multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode before it gets installed by default
- corridor - Tor traffic whitelisting gateway and leak tester
- grub-live - Boot your existing, installed Debian Host into Live Mode with GRUB LIVE
- usability, output enhancements
- Whonix âą Live Mode - Stop Persistent Malware
- added compatibility with restrict hardware information to root for Live Mode Indicator Systray
- fixed Live Mode Indicator Systray to detect ro-mode-init
- Hardened Malloc - Hardened Memory Allocator for many Applications to increase Security. Debian packaging fork only.
- fix
- numerous apparmor profile enhancements
disksd[572]: failed to load module crypto: libbd_crypto.so.2: cannot open shared object file: No such file or directory
- onioncircuits started from tor-control-panel by running it under user debian-tor rather than root
- remove Whonix specificity (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands)
dsudo
- add sudo askpass wrapper for automated testing- I.e. as long as password is set to
changeme
one can usedsudo
and will not be asked to enter the default password.
- I.e. as long as password is set to
- kloak
- Keystroke-level online anonymization kernel: obfuscates typing behavior at the device level.
- against Keystroke Deanonymization
- packaging enhancements, no longer depend on genmkfile, can be build using standard Debian packaging tools, apparmor enhancements
- Qubes-Whonix
- swap-file-creator
- Added
ENOUGH_RAM
setting which defaults to1950
MB RAM. If there is more than enough RAM, no swap file will be created. - fix Non-Qubes-Whonix Whonix-Gateway slow boot
- Added
- Tor Browser Starter / Downloader by Whonix developers
- Disable security slider question at first start since broken
- Check for noexec.
- Remount exec.
- work on Qubes DispVM exec / noexec
- whonix-firewall: fix, donât lock down network if IPv6 isnât available and thereby no need to firewall, apparmor profile added in complain mode
- research and documentation of entropy / randomness generation
- created debug-misc - Opt-in package which enables miscellaneous debug settings for easier debugging. (Replaces grub-output-verbose.)
- No more verbose output during boot to prevent kernel info leaks.
- Rebrand Whonix as a research project.
- old: âWhonix is experimental software. Do not rely on it for strong anonymity.â
- new: âWhonix is a research project.â
- i2p
- i2p inside Whonix-Workstation fixes etc
- preparation for installation of i2p by default
- do not autostart i2p.service if installed
- do not autostart privoxy.service if installed
- do not autostart i2p.service in Qubes TemplateVM
- do not autostart privoxy.service in Qubes TemplateVM
- i2p is not yet installed by default because of this reason.
- first-boot-skel: fix /etc/skel/.bashrc to /home/user/.bashrc handling if home folder is completely empty
- usability-misc
- add dpkg-noninteractive wrapper script
- Speeding up "apt update" with Acquire::Languages=none and Contents-deb::DefaultEnabled=false - It's so much faster! - #2 by HulaHoop
Acquire::Languages none;
Acquire::IndexTargets::deb::Contents-deb::DefaultEnabled false;
Full difference of all changes
diff too large for github to show, therefore split into two:
- https://github.com/Whonix/Whonix/compare/15.0.0.7.1-developers-only...15.0.0.8.0-developers-only
- https://github.com/Whonix/Whonix/compare/15.0.0.8.0-developers-only...15.0.0.8.7-developers-only
- https://github.com/Whonix/Whonix/compare/15.0.0.8.7-developers-only...15.0.0.8.9-developers-only
About Whonix
Whonix is being used by Edward Snowden, journalists such as Micah Lee, used by the Freedom of the Press Foundation and Qubes OS. It has a 7 years history of keeping its users safe from real world attacks. [1]
The split architecture of Whonix relies on leveraging virtualization technology as a sandbox for vulnerable user applications on endpoints. This is a widely known weakness exploited by entities that want to circumvent cryptography and system integrity. Our Linux distribution come with a wide selection of data protection tools and hardened applications for document/image publishing and communications. We are the first to deploy tirdad, which addresses the long known problem of CPU activity affecting TCP traffic properties in visible ways on the network and vanguards, an enhancement for Tor produced by the developers of Tor, which protects against guard discovery and related traffic analysis attacks. Live Mode was recently added. We deliver the first ever solutions for user behavior masking privacy protections such as Kloak. Kloak prevents websites from recognizing who the typist is by altering keystroke timing signatures that are unique to everyone.
In the future we plan to deploy a hardened Linux kernel with a minimal number of
modules for OS operation, which will greatly decrease attack surface. An AppArmor profile for the whole system as well as Linux Kernel Runtime Guard (LKRG), which quote performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.
[1]
- https://twitter.com/Snowden/status/1165607338973130752 [archive]
- https://twitter.com/snowden/status/781495273726025728 [archive]
- https://twitter.com/Snowden/status/1175435436501667840 [archive]
- Micah Lee, Journalist and Security Engineer at The Intercept and Advocate for Freedom of the Press, Developer of OnionShare and Tor Browser Launcher. [archive]
- SecureDrop Journalist Workstation environment for submission handling is based on Qubes-Whonix [archive]
- History
- Whonix - Wikipedia [archive]
- https://www.qubes-os.org [archive]
- Whonix Protection against Real World Attacks