Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Anti-Keystroke Fingerprinting Tool #1850

Open
HulaHoopWhonix opened this issue Mar 17, 2016 · 9 comments
Open

Feature Request: Anti-Keystroke Fingerprinting Tool #1850

HulaHoopWhonix opened this issue Mar 17, 2016 · 9 comments
Labels
C: gui-virtualization C: Whonix This issue impacts Qubes-Whonix help wanted This issue will probably not get done in a timely fashion without help from community contributors. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. privacy This issue pertains to data or information privacy through technological means. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@HulaHoopWhonix
Copy link

Keystroke fingerprinting works by measuring how long keys are pressed and the time between presses. Its very high accuracy poses a serious threat to anonymous users.[1]

This tracking technology has been deployed by major advertisers (Google, Facebook), banks and massive online courses. Its also happening at a massive scale because just using an interactive JS application in presence of a network adversary that records all traffic allows them to construct biometric models for virtually everyone (think Google suggestions) even if the website does not record these biometric stats itself.[2] They have this data from everyone's clearnet browsing and by comparing this to data exiting the Tor network they will unmask users.

As a countermeasure security researcher Paul Moore created a prototype Chrome plugin known as KeyboardPrivacy. It works by caching keystrokes and introducing a random delay before passing them on to a webpage.[3] Unfortunately there is no source code available for the add-on and the planned Firefox version has not surfaced so far. There are hints that the author wants to create a closed hardware solution that implements this which does not help our cause.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.

[1] http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

[2] http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7358795

[3] https://archive.is/vCvWb

@adrelanos
Copy link
Member

adrelanos commented Mar 17, 2016

Confirmed. This affects anonymity / Whonix.

A very much needed project would be to write a program that mimics the functionality of the this add-on but on the display server / OS level. Ideally the solution would be compatible with Wayland for the upcoming transition in the near future.

Sounds like a great solution. Unfortunately this is outside my abilities. Help welcome!

@rootkovska
Copy link
Member

Looks like this could be a simple modification to Qubes GUI daemon. Of course would have to be opt-in enabled for select VMs only.

@andrewdavidwong andrewdavidwong added T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. help wanted This issue will probably not get done in a timely fashion without help from community contributors. C: gui-virtualization privacy This issue pertains to data or information privacy through technological means. labels Apr 6, 2016
@andrewdavidwong andrewdavidwong added this to the Far in the future milestone Jun 7, 2016
andrewdavidwong added a commit that referenced this issue Jun 7, 2016
@sdffgh
Copy link

sdffgh commented Jul 28, 2016

Unfortunately there is no source code available for the add-on

There is! Chrome Extensions are just are zip files with some added metadata. If we unzip the extension's crx file, all the relevant code is a few lines in js/input.js.

See Tim's comment on https://paul.reviews/behavioral-profiling-the-password-you-cant-change/#comment-2165097313 where he includes a paste of the source code, the discussions below on the choices, and Paul's comment "If you strip away the fundamentals required to make a chrome extension, the code is just 13 lines long".

There is no license mentioned. One of you who knows more about licenses and legality can better decide how to proceed. If it's legal, maybe we could just reconstruct Paul's technique that he described publicly without looking at his code. The javascript basically just adds random delays and other implementation details are only meant to delay the js thread to disrupt timing of keystroke-initiated browser events, but that is unnessary if the delays are introduced outside the VM, and therefore outside the browser. In that case it is sufficient to just add random delays to keystroke times. The tests to confirm that this works against the bank fingerprinting demo are also very simple and can be reproduced if we're not sure that the new code has the same effectiveness as Paul's.

@adrelanos
Copy link
Member

Related:

@iacore
Copy link

iacore commented Jul 7, 2022

A simpler solution to this is to block tracking scripts using an ad blocker, and visit Facebook in separate VM (or don't visit at all).

Maybe running kloak in dom0 as sudo will work.

@adrelanos
Copy link
Member

A simpler solution to this is to block tracking scripts using an ad blocker, and visit Facebook in separate VM (or don't visit at all).

Blocking is a denylist approach and will always be a game of whack-a-mole and miss some things. Hence not a reliable approach. And not limited to facebook. I don't know if facebook does this. Could happen anyhwere.

Maybe running kloak in dom0 as sudo will work.

That would work but the kloak would needlessly apply to dom0 and all other VMs too. Since kloak might cause some (and currently even some nasty bugs such as vmonaco/kloak#31) I wouldn't recommend it.

@adrelanos
Copy link
Member

Quote #2558

kloak (anti keystroke deanonymization tool) currently cannot be used inside Qubes.

quote @marmarek:

Hmm, I was under impression it expect X server input device, not not Linux kernel input device. Qubes GUI agent do not expose the later. It shouldn't be hard to change that, but still it is some code change. Namely, rewrite this function (feed /dev/uinput instead of X input device).

@andrewdavidwong
Copy link
Member

@bluesteal: Please note that the issue tracker (qubes-issues) is not intended to be a place for fielding questions. Instead, we have other venues meant for asking questions, asking for help, and having discussions. (By contrast, the issue tracker is more of a technical tool intended to support our developers in their work.) Thank you for your understanding!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: gui-virtualization C: Whonix This issue impacts Qubes-Whonix help wanted This issue will probably not get done in a timely fashion without help from community contributors. P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. privacy This issue pertains to data or information privacy through technological means. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Development

No branches or pull requests

7 participants
@adrelanos @HulaHoopWhonix @rootkovska @andrewdavidwong @sdffgh @iacore and others