Creating a distribution for anonymity on the internet has its challenges. But it's important, especially for those living under repressive regimes. Getting the details right is clearly an overriding concern, which is why distributions of this kind tend to turn to Tor to provide that anonymity. But, Tor alone does not necessarily insulate users from disclosing personally identifiable information.

We looked at The Amnesic Incognito Live System (Tails)—a Tor-based live distribution—back in April 2011. But, regular applications or malware on a Tails system can potentially leak some information (e.g. IP address) that might be used to make a link between the user and their internet activity. The new Whonix distribution, which released an alpha version on October 9, uses virtualization to isolate the Tor gateway from the rest of the system, in part to eliminate those kinds of leaks.

Whonix is based on Debian and VirtualBox. It creates two separate virtual machines (VMs), one that runs all of the applications, and another that acts as a Tor gateway. All of the network traffic from the application VM (which is called the Whonix-Workstation) is routed through the Whonix-Gateway VM. That means the only network access available to applications is anonymized by Tor.

That setup has a number of benefits. For one, malware running on the Whonix-Workstation has no visibility into the actual configuration of the underlying system, so things like IP address, MAC address, hardware serial numbers, and the like, are all hidden. In addition, Whonix can be used in a physically isolated way, where the Workstation and Gateway run on two separate machines. It isn't only Linux that can be protected with Whonix, either, as Windows or other operating systems can be installed as the Whonix-Workstation.

The iptables rules on the workstation redirect all traffic to the gateway and disallow any local network connections. In addition, the firewall on the gateway fails "closed", disallowing any connections if Tor fails. Whonix also configures the system and various applications to reduce or eliminate information leaks. That includes using UTC for the time zone, having the same desktop resolution, color depth, and installed fonts on all installations, and setting the same virtual MAC address on all workstations. The user on Whonix is "user" and applications like GPG are configured to not leak operating system version information

As envisioned, Whonix is a framework that is "agnostic about everything", including using alternatives for the anonymized network (e.g. JonDo, freenet), virtualization mechanism (e.g. KVM, Xen, VMWare), and host and guest operating systems (e.g. Windows, *BSD). Any of those pieces can be swapped out "with some development effort", but the developers are concentrating on the Debian/VirtualBox/Tor combination, at least currently.

Isolating applications in a single VM does not protect against all anonymity-piercing attacks. Malware can (and does) send the contents of files to remote hosts, which can, obviously, provide personally identifiable information. The Whonix documentation suggests using multiple workstation VMs, one for each type of activity. That idea is, in some ways, similar to the concept behind Qubes, another virtualization-based security-oriented operating system.

The security of Whonix is obviously dependent on its constituent parts, including the Linux kernel, VirtualBox, and Tor itself, but it also depends on how the system has been put together as well. It is perhaps not a surprise that the developer behind Whonix is pseudonymous, "adrelanos", but he or she seems keenly aware that vetting of Whonix is required before users can potentially put their lives at risk by using it. The release announcement says: "I hope skilled people look into the concept and implementation and fail to find anonymity related bugs." As with most (all?) projects, Whonix is also looking for more developers to work on it.

The project does come with an extensive Security document that covers the technology behind Whonix, its advantages and disadvantages, threat model, best practices, and so on. It also has an in-depth comparison of Whonix with Tails and the Tor Browser Bundle, which is a browser configured to use Tor and to avoid leaking identifiable information. Whonix is an ambitious project that overlaps with Tails to some extent (though there is an extensive justification for having separate projects), but the projects do collaborate, which bodes well for both.