Bug 1318813

Summary: Feature Request: Add randomly preset well gap times for keyboard input for Virt-Viewer/SPICE to counter profiling
Product: [Community] Virtualization Tools Reporter: bancfc
Component: virt-viewerAssignee: Daniel Berrangé <berrange>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rbalakri, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-27 02:17:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description bancfc 2016-03-17 22:24:51 UTC
Summary: When discussing how to defeat keystroke pattern fingerprinting it was suggested by Martin that changes could be made at the virt-viewer/spice client level to send keyboard events with randomly preset dwell and gap times. (This feature should take into account that the Guest-side spice server is untrusted).


This proposed feature can be tested against these demo sites:

Comment 1 bancfc 2016-03-18 22:03:48 UTC
Update after reporting this bug in other places:

Genode a microkernel OS has modified its code and VirtualBox to defeat this.

Qubes a Xen variant will add a fix to their SPICE daemon equivalent to deal with it.

TAILS recognized the need for an OS level tool to defeat this technique since they run baremetal.

Comment 2 Daniel Berrangé 2016-03-22 17:02:38 UTC
Per my reply the mailing list, I think this is a feature best done in either Xorg/Wayland, or even the Linux kernel. That way all applications benefit from the protection, not just stuff running inside virtual machines

Comment 3 bancfc 2016-03-24 13:29:15 UTC
I am in contact with devs on the Wayland/X and kernel lists:


I will keep track of this and hopefully something is done about it upstream. So far I received feedback from a Wayland developer. Nothing from kernel even though there is consensus that the input subsystem is where it belongs. 

QEMU/Spice would be a last resort if no other level intervenes?

Comment 4 bancfc 2016-03-28 22:12:24 UTC
The discussion on the Wayland mailing list has stalled with developers refusing to implement this on a system level (even if optional). 

The last hope for this to be implemented for Linux is in the virtualization layer. Please add this feature when you can.


Its sad how proprietary OSs like Windows10 are actively analyzing keystrokes by default while no one is wants to counteract this in Libre systems.

(translation/summary. Article is in German)

"Windows 10 generates advertising-IDs for everyone. The information
Win10 transmits by default are (among other things):

- location of device
- browser history
- favorites
- which aaps are installed from the windows store
- and data for input-personification. this includes biometrical data of
pronunciation (cortana), writing style (handwriting) and how the user
types on windows devices."


Comment 5 bancfc 2016-12-27 02:17:44 UTC
A privacy researcher has kindly volunteered to write tools that mitigate these attacks. A working prototype has been released:


By running it on the host it should provide protection for all VMs as well.