Whonix VirtualBox 15.0.0.8.9 – Point Release! – vanguards; TCP ISN Leak Protection; Extensive Hardening! 🔥

This is a point release.

Download Whonix for VirtualBox:


Alternatively, in-place release upgrade is possible.



This release would not have been possible without the numerous supporters of Whonix!


Please Donate!


Please Contribute!


  • Add vanguards – protects against guard discovery and related traffic analysis attacks.
  • Implement TCP ISN CPU Information Leak Protection.
    • TCP ISN CPU Information Leaks can be used de-anonymize Tor onion services. tirdad fixes that.
    • Install tirdad by default.
    • fix compilation using DKMS on kernel upgrade by adding support for make variable KERNELRELEASE (DKMS sets it)
  • security-misc – Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings
    • add security-misc documentation of stable security features, testing security features and experimental security features
    • experimental SUID Disabling and Permission Hardening
      • A systemd service removes SUID / GUID from non-essential binaries as these are often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running systemctl enable permission-hardening.service as root.
      • Disable SUID Binaries
      • harden ping
    • git diff a99dfd067ac8a43bdcd779cf57b3533bdaa404fb 163e20b886f298cb9d3aca54c14f66991001b396 (diff to huge for github)
    • Enables mitigations for the L1TF (L1 Terminal Fault) vulnerability. (This is interesting when using security-misc or Kicksecure.)
    • unconditionally enable all CPU bugs (spectre, meltdown, L1TF, …) this might reduce performance (This is interesting when using security-misc on the host or using Kicksecure as host operating system.)
    • The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory.
    • Vsyscalls are disabled as they are obsolete, are at fixed addresses and are a target for ROP.
    • Page allocator freelist randomization is enabled.
    • The vivid kernel module is blacklisted as it’s only required for testing and has been the cause of multiple vulnerabilities.
    • An initramfs hook sets the sysctl values in /etc/sysctl.conf and /etc/sysctl.d before init is executed so sysctl hardening is enabled as early as possible.
    • The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing.
    • Improve Entropy Collection
      • Load jitterentropy_rng kernel module.
      • Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor.
    • remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and noexec (opt-in). To disable this, run “sudo touch /etc/remount-disable”. To opt-in noexec, run “sudo touch /etc/noexec” and reboot (easiest). Alternatively file /usr/local/etc/remount-disable or file /usr/local/etc/noexec could be used.
    • fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live
    • fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
    • do show lxqt-sudo password prompt if there is a sudoers exception
    • improved pkexec wrapper logging
    • installation fix in case when user “user” does not exists
    • better output if trying to login with non-existing user
    • add user “user” to group “console” in Whonix and Kicksecure
    • Lock user accounts after 50 rather than 100 failed login attempts.
    • Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key.
    • remove-system-map: use shred instead of rm
    • Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
    • Only allow symlinks to be followed when outside of a world-writable sticky directory, or when the owner of the symlink and follower match, or when the directory owner matches the symlink’s owner. Prevent hardlinks from being created by users that do not have read/write access to the source file. These prevent many TOCTOU races.
      • fs.protected_symlinks=1
      • fs.protected_hardlinks=1
    • Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl which has been used in exploits before such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
  • Linux Kernel Runtime Guard (LKRG)
  • console lockdown
    • Allow members of group ‘console’ to use console. Everyone else except members of group ‘console-unrestricted’ are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Using pam_access.
  • Protect Linux user accounts against brute force attacks.
    • Lock user accounts after 50 failed login attempts using pam_tally2.
  • update Tor to version 0.4.2.6-1
  • full /etc/torrc.d/*.conf configuration snippet drop-in folder support
  • update Tor Browser to version 9.0.5
  • work on hardened Linux kernel for VMs and hosts
  • VirtualBox
    • upgrade VirtualBox to 6.1.2
    • revert graphics controller setting back from VMSVGA to VBoxVGA due to issues
    • Had to increase Whonix-Gateway default RAM to 1280 MB. Otherwise VirtualBox guest additions kernel modules would fail to compile.
  • work on fixing arm64 / RPi builds but not finished. Help welcome!
  • Onion Services Authentication
  • No longer install serial-console-enable by default due to issues. See also Serial Console.
  • No longer install firejail by default because of these reasons.
  • development of apparmor-profile-everything – AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. Security Hardening.
  • corridor – Tor traffic whitelisting gateway and leak tester
  • grub-live – Boot your existing, installed Debian Host into Live Mode with GRUB LIVE
  • Hardened Malloc – Hardened Memory Allocator for many Applications to increase Security. Debian packaging fork only.
  • fix
  • remove Whonix specificity (default config file) from onion-grater (Whitelisting filter for dangerous Tor control protocol commands)
  • dsudoadd sudo askpass wrapper for automated testing
    • I.e. as long as password is set to changeme one can use dsudo and will not be asked to enter the default password.
  • kloak
  • Qubes-Whonix
  • swap-file-creator
  • Tor Browser Starter / Downloader by Whonix developers
  • whonix-firewall: fix, don’t lock down network if IPv6 isn’t available and thereby no need to firewall, apparmor profile added in complain mode
  • research and documentation of entropy / randomness generation
  • created debug-misc – Opt-in package which enables miscellaneous debug settings for easier debugging. (Replaces grub-output-verbose.)
  • No more verbose output during boot to prevent kernel info leaks.
  • Rebrand Whonix as a research project.
    • old: “Whonix is experimental software. Do not rely on it for strong anonymity.”
    • new: “Whonix is a research project.”
  • i2p
    • i2p inside Whonix-Workstation fixes etc
    • preparation for installation of i2p by default
      • do not autostart i2p.service if installed
      • do not autostart privoxy.service if installed
      • do not autostart i2p.service in Qubes TemplateVM
      • do not autostart privoxy.service in Qubes TemplateVM
    • i2p is not yet installed by default because of this reason.
  • first-boot-skel: fix /etc/skel/.bashrc to /home/user/.bashrc handling if home folder is completely empty
  • usability-misc

diff too large for github to show, therefore split into two:


Whonix is being used by Edward Snowden, journalists such as Micah Lee, used by the Freedom of the Press Foundation and Qubes OS. It has a 7 years history of keeping its users safe from real world attacks. [1]

The split architecture of Whonix relies on leveraging virtualization technology as a sandbox for vulnerable user applications on endpoints. This is a widely known weakness exploited by entities that want to circumvent cryptography and system integrity. Our Linux distribution come with a wide selection of data protection tools and hardened applications for document/image publishing and communications. We are the first to deploy tirdad, which addresses the long known problem of CPU activity affecting TCP traffic properties in visible ways on the network and vanguards, an enhancement for Tor produced by the developers of Tor, which protects against guard discovery and related traffic analysis attacks. Live Mode was recently added. We deliver the first ever solutions for user behavior masking privacy protections such as Kloak. Kloak prevents websites from recognizing who the typist is by altering keystroke timing signatures that are unique to everyone.

In the future we plan to deploy a hardened Linux kernel with a minimal number of
modules for OS operation, which will greatly decrease attack surface. An AppArmor profile for the whole system as well as Linux Kernel Runtime Guard (LKRG), which quote performs runtime integrity checking of the Linux kernel and detection of security vulnerability exploits against the kernel.


[1]

4 posts were split to a new topic: changelog inclusion discussion testing vs stable

Awesome! Great job. Thanks!

loosing features:

  • vbox doesnt go full screen
  • copy/paste from to host/whonix

and i think this is due to one reason which is a corruption within vbox-guest-additions

Whonix-WS wont boot and showing this message:

Possibly host HDD issues. OpenPGP / gpg verified images? Does re-import of VM help?

So much amazing work, thank you all contributors!

Gateway: Would Gateway work stably if you kept it at 256 MB RAM at all times except for when compiling kernel modules (during updates etc)?

Workstation: Is there a way to know what point release your workstation is currently upgraded to? (like to uname -a for checking kernel version) I see that /etc/whonix_version only says 15.

Upgraded in-place. No problems to report, Debian host, Virtualbox version 6.0.18, everything went smoothly. I messed about with the different graphics choices and they all work somehow. No screen resize problems to report

I have the same problem as TNT_BOM_BOM. I have VirtualBox 6.1.2 and cannot go full screen with both the 15.0.0.8.9 Point Release and an upgraded 15.0.0.7.1. Everything seems to work great with the exception of not being full screen.

The VirtualBox resize issue:

For now, there is only this workaround (recently added recommendation to use XFCE screen resolution settings dialog to manually set a higher resolution):

https://www.whonix.org/wiki/Known_Issues#Screen_Resolution_Bug

To really solve it needs a really good bug report with all debug information required for VirtualBox developers. The internet is full of incomplete bug reports and discussions that go nowhere. Better not add to that mess. First, it requires a survey of existing related bug reports and what debug information was requested from VirtualBox developers. Notes are being kept here:

Help welcome!

No known issues that it doesn’t.

No.

See also: https://www.whonix.org/wiki/Whonix_Build_Version

i did re-import and it helped cant reproduce atm.

Patrick via Whonix Forum:

I just wanted to post this: the only thing noticed–and this has nothing to do with Whonix’s implementation of Guest Additions–is that when using Virtualbox 6.0.18 the clipboard functionality sharing between guests and host is not functional. This is solely due to the fact that 6.0.18 and 6.1.x are not cross compatible as far as GA’s. Anyway, an upgrade to Vbox 6.1.4 fixed that issue completely. Also, the 6.0 branch will not have support after July of this year so everyone should upgrade anyway.


Source: Whonix

Leave a Reply