/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Anti-Keystroke Fingerprinting Tool #1850

Open
HulaHoopWhonix opened this Issue Mar 17, 2016 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Far in the future
5 participants
@HulaHoopWhonix @adrelanos @rootkovska @sdffgh @andrewdavidwong
@HulaHoopWhonix

HulaHoopWhonix commented Mar 17, 2016

Keystroke fingerprinting works by measuring how long keys are pressed and the time between presses. Its very high accuracy poses a serious threat to anonymous users.[1]

This tracking technology has been deployed by major advertisers (Google, Facebook), banks and massive online courses. Its also happening at a massive scale because just using an interactive JS application in presence of a network adversary that records all traffic allows them to construct biometric models for virtually everyone (think Google suggestions) even if the website does not record these biometric stats itself.[2] They have this data from everyone's clearnet browsing and by comparing this to data exiting the Tor network they will unmask users.

As a countermeasure security researcher Paul Moore created a prototype Chrome plugin known as KeyboardPrivacy. It works by caching keystrokes and introducing a random delay before passing them on to a webpage.[3] Unfortunately there is no source code available for the add-on and the planned Firefox version has not surfaced so far. There are hints that the author wants to create a closed hardware solution that implements this which does not help our cause.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.

[1] http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

[2] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7358795

[3] https://archive.is/vCvWb
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Mar 17, 2016

Member

Confirmed. This affects anonymity / Whonix.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.

Sounds like a great solution. Unfortunately this is outside my abilities. Help welcome!
Member

adrelanos commented Mar 17, 2016
edited
Edited 1 time
  • @adrelanos adrelanos edited May 31, 2016 (most recent)

Confirmed. This affects anonymity / Whonix.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.

Sounds like a great solution. Unfortunately this is outside my abilities. Help welcome!
@rootkovska

This comment has been minimized.

Show comment
Hide comment
@rootkovska

rootkovska Mar 18, 2016

Member

Looks like this could be a simple modification to Qubes GUI daemon. Of course would have to be opt-in enabled for select VMs only.
Member

rootkovska commented Mar 18, 2016

Looks like this could be a simple modification to Qubes GUI daemon. Of course would have to be opt-in enabled for select VMs only.

@adrelanos adrelanos referenced this issue Mar 18, 2016

Closed

change default appvm name: anon-whonix -> anonymous-browsing #1775

@andrewdavidwong andrewdavidwong added enhancement help wanted C: gui-virtualization privacy labels Apr 6, 2016

@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Jun 7, 2016

andrewdavidwong added a commit that referenced this issue Jun 7, 2016

@andrewdavidwong
Track #1850
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: DB4DD3BC39503030 Learn about signing commits
93a0a41
@sdffgh

This comment has been minimized.

Show comment
Hide comment
@sdffgh

sdffgh Jul 28, 2016

Unfortunately there is no source code available for the add-on

There is! Chrome Extensions are just are zip files with some added metadata. If we unzip the extension's crx file, all the relevant code is a few lines in js/input.js.

See Tim's comment on https://paul.reviews/behavioral-profiling-the-password-you-cant-change/#comment-2165097313 where he includes a paste of the source code, the discussions below on the choices, and Paul's comment "If you strip away the fundamentals required to make a chrome extension, the code is just 13 lines long".

There is no license mentioned. One of you who knows more about licenses and legality can better decide how to proceed. If it's legal, maybe we could just reconstruct Paul's technique that he described publicly without looking at his code. The javascript basically just adds random delays and other implementation details are only meant to delay the js thread to disrupt timing of keystroke-initiated browser events, but that is unnessary if the delays are introduced outside the VM, and therefore outside the browser. In that case it is sufficient to just add random delays to keystroke times. The tests to confirm that this works against the bank fingerprinting demo are also very simple and can be reproduced if we're not sure that the new code has the same effectiveness as Paul's.

sdffgh commented Jul 28, 2016
edited
Edited 1 time
  • @sdffgh sdffgh edited Jul 28, 2016 (most recent)

Unfortunately there is no source code available for the add-on

There is! Chrome Extensions are just are zip files with some added metadata. If we unzip the extension's crx file, all the relevant code is a few lines in js/input.js.

See Tim's comment on https://paul.reviews/behavioral-profiling-the-password-you-cant-change/#comment-2165097313 where he includes a paste of the source code, the discussions below on the choices, and Paul's comment "If you strip away the fundamentals required to make a chrome extension, the code is just 13 lines long".

There is no license mentioned. One of you who knows more about licenses and legality can better decide how to proceed. If it's legal, maybe we could just reconstruct Paul's technique that he described publicly without looking at his code. The javascript basically just adds random delays and other implementation details are only meant to delay the js thread to disrupt timing of keystroke-initiated browser events, but that is unnessary if the delays are introduced outside the VM, and therefore outside the browser. In that case it is sufficient to just add random delays to keystroke times. The tests to confirm that this works against the bank fingerprinting demo are also very simple and can be reproduced if we're not sure that the new code has the same effectiveness as Paul's.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jan 10, 2017

Member

Related:
Member

adrelanos commented Jan 10, 2017

Related:

@adrelanos adrelanos referenced this issue Jun 3, 2017

Open

Document qubes.PostInstall service, `/etc/qubes/post-install.d`, qvm-features-request #2829

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment