28

I've heard advice that to further protect my anonymity/privacy it's best to run Tor (the Tor Browser Bundle) in a Virtual Machine, which you would ideally roll back after each use.

What extra security, if any, does this provide?

Roya
  • 3,240
  • 3
  • 19
  • 40
Tom Medley
  • 972
  • 2
  • 9
  • 16

4 Answers4

21

There are several anonymity concerns when you use your main machine for communication. Running a separate secured OS will give you advantages when you use other software with Tor than just the Firefox in the Tor Browser Bundle which is considerably secured. The separate secured OS can also help you against possible information leak vulnerabilities in Firefox.

  • Your machine contains and collects information which could be used for your identification. Examples are: host name, IP address, state information and configuration of various applications. This should not be a problem if you use the Tor Browser Bundle properly as in most cases it should not leak the information which is stored outside of the bundle package.
  • Various versions (and default configuration) of your software including operating system can be possibly identified from your communication. It is advisable to use least possible customized software. The Tor Browser Bundle already solves this for the included software (Tor, Firefox, Vidalia Bundle). To be more secure you should use a complete secured operating system with unified configuration so that you cannot be identified when versions of various parts of it get revealed. Example of such OS is Tails.
  • OS like Tails makes information leaks less probable by not allowing clear-text communication. If it is possible it is transparently redirecting all traffic to the Tor network regardless of used applications and their possible vulnerabilities. Furthermore Tails is able to separate unrelated traffic into different Tor circuits.
  • By reverting the state of the OS after each use either by using a live OS without permanent data storage or a virtual machine with non-persistent storage you avoid long-term storage of the information which could lead to your identification.
  • Various hardware information can leak through your communication. (display resolution, size of RAM...) When you use an unified OS running inside a virtual machine you can prevent discovering most of the hardware related information.
  • By using a separate OS you lessen probability of leaking information from your Tor sessions in you open communication. (e.g. requests to the .onion domain)
  • You can safely control the communication from the virtual machine while your main OS is running.
  • You can easily encrypt the virtual machine image and in case of emergency you can eventually destroy the encryption key.

Ideally when all the Tor users would use the same OS running in the same virtual machine on the same virtualization platform they can be almost indistinguishable each from the others.

TN888
  • 283
  • 3
  • 12
12

Some advantages and some concerns to point out, partly in reference to pabouk's answer:

Good Stuff

  1. When you run a Tor VM, chances are high that the VM software is based on some operating system other than Windows. Because Windows still has a huge market share, most publicly-known software vulnerabilities target Windows, and most man-hours spent researching security vulnerabilities are spent on Windows-based software, or Windows itself. The reason being, if an exploit is successful, it can impact a huge number of victims. If you find a vulnerability in FreeBSD, you might be able to exploit a few servers or a handful of browsers, but nothing on the scale of a Windows or Mac OS X bug. So just by using Linux or BSD, you are immediately reducing your attack surface by a large factor, simply because unresolved security bugs are simply not commonly found on these platforms, and when they are found, they are fixed expeditiously, in the open, and everyone can audit the fix to make sure it's correct.

  2. You can encounter some pretty nasty folks using Tor or participating in the Tor infrastructure. They will try to exploit your browser to gain remote access, inject code, etc. If they succeed, your chances of not having your personal data / identity stolen are greatly reduced if they compromise the virtual machine, versus your host computer. Virtual machines aren't impossible to penetrate, but it creates another barrier that the attacker has to think about and get through. All major virtualization software is designed with security in mind, the goal being to make it very difficult or impossible to penetrate the host<->VM barrier (although you can easily shoot yourself in the foot there with configuration settings or by using things like guest additions that allow you to read and write the host filesystem).

Worrying Stuff

  1. It would be a bad thing if most or all Tor users ran the same virtual machine platform, with the same browser, operating system, versions, etc. Users, especially non-technical users, can be thought of like prey animals -- when they are threatened by a predator, the best way for them to deal with it is to scatter in all directions. That way the predator has to pick one or two of them to go after, but not even a very fast predator could catch all of the prey. Most of them will escape. If all our users are going in the same direction (using the same software configuration), a single successful attack will breach thousands or millions of systems. Diversity is key. If a lot of other people are using Linux VMs to run Tor, a smart user will run FreeBSD. If FreeBSD becomes popular, run Solaris. If Solaris becomes popular, run GNU/Hurd! If GNU/Hurd becomes popular, STOP; the FSF has won and we can all lay down our pitchforks and knives. ;)

  2. Non-technical users may be lulled into a false sense of security by learning that VMs provide a layer of protection. Furthermore, if we provide simple "click-wrap" installers for VMs for people to use, they may not understand the full security implications, and security updates would have to be automatically enabled, or else users could be running vulnerable software and not even know it.

allquixotic
  • 221
  • 1
  • 6
6

I generally agree with the pros and cons of VMs presented by others here, provided you control the physical host as well.

If you do not (for example you're running a VM on a public cloud provider) the operator can see all the memory in your VM which is pretty much game over for anonymity. You need to be the judge of how likely this is and what is at risk if your anonymity is compromised.

So for reasons others have stated running Tails in a VM on your laptop is probably a good idea, running a hidden service on EC2 is probably not.

Jon Proulx
  • 61
  • 1
5

There is a whole bunch of pros and cons about this.

One of the biggest advantages is that proxy by-pass bugs in Tor Browser when using a Transparent Proxy (anonymizing middlebox!) or an Isolating Proxy design won't reveal your real IP address. Also, with such a design, (root) exploits against your client software (ex: browser) won't instantly reveal your real IP address. Exploits still matter, because once your virtual machine is compromised, an attacker can see everything you do inside the VM, and can try to escalate to your host as well.

A big disadvantage is that it's not as simple, as in usability to use. There is administration overhead (updating more than one operating system), higher system requirements... The biggest disadvantage is that there are no amnesic Tor VMs yet.

mirimir
  • 3,017
  • 1
  • 19
  • 29
adrelanos
  • 2,847
  • 2
  • 20
  • 35