Bug 1318813

Summary: Feature Request: Add randomly preset well gap times for keyboard input for Virt-Viewer/SPICE to counter profiling
Product: [Community] Virtualization Tools Reporter: bancfc
Component: virt-viewerAssignee: Daniel Berrangé <berrange>
Status: CLOSED DEFERRED QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: rbalakri, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-27 02:17:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bancfc 2016-03-17 22:24:51 UTC 
Summary: When discussing how to defeat keystroke pattern fingerprinting it was suggested by Martin that changes could be made at the virt-viewer/spice client level to send keyboard events with randomly preset dwell and gap times. (This feature should take into account that the Guest-side spice server is untrusted).

https://www.redhat.com/archives/libvir-list/2016-March/msg00578.html
https://www.redhat.com/archives/libvir-list/2016-March/msg00676.html


This proposed feature can be tested against these demo sites:
https://keytrac.net
https://www.behaviosec.com/
Comment 1 bancfc 2016-03-18 22:03:48 UTC 
Update after reporting this bug in other places:

Genode a microkernel OS has modified its code and VirtualBox to defeat this.

Qubes a Xen variant will add a fix to their SPICE daemon equivalent to deal with it.

TAILS recognized the need for an OS level tool to defeat this technique since they run baremetal.
Comment 2 Daniel Berrangé 2016-03-22 17:02:38 UTC 
Per my reply the mailing list, I think this is a feature best done in either Xorg/Wayland, or even the Linux kernel. That way all applications benefit from the protection, not just stuff running inside virtual machines
Comment 3 bancfc 2016-03-24 13:29:15 UTC 
I am in contact with devs on the Wayland/X and kernel lists:

https://lists.freedesktop.org/archives/wayland-devel/2016-March/027607.html
https://lists.x.org/archives/xorg-devel/2016-March/049159.html
https://marc.info/?l=linux-kernel&m=145877344732456&w=2


I will keep track of this and hopefully something is done about it upstream. So far I received feedback from a Wayland developer. Nothing from kernel even though there is consensus that the input subsystem is where it belongs. 

QEMU/Spice would be a last resort if no other level intervenes?
Comment 4 bancfc 2016-03-28 22:12:24 UTC 
The discussion on the Wayland mailing list has stalled with developers refusing to implement this on a system level (even if optional). 

The last hope for this to be implemented for Linux is in the virtualization layer. Please add this feature when you can.


Related:

Its sad how proprietary OSs like Windows10 are actively analyzing keystrokes by default while no one is wants to counteract this in Libre systems.

(translation/summary. Article is in German)

"Windows 10 generates advertising-IDs for everyone. The information
Win10 transmits by default are (among other things):

- location of device
- browser history
- favorites
- which aaps are installed from the windows store
- and data for input-personification. this includes biometrical data of
pronunciation (cortana), writing style (handwriting) and how the user
types on windows devices."

http://www.heise.de/newsticker/meldung/Windows-10-Neue-Datenschutzbestimmungen-Windows-wird-zur-Datensammelstelle-2765536.html
Comment 5 bancfc 2016-12-27 02:17:44 UTC 
A privacy researcher has kindly volunteered to write tools that mitigate these attacks. A working prototype has been released:

https://github.com/vmonaco/kloak 

By running it on the host it should provide protection for all VMs as well.