Determining how isolated TBB activity is from VM host?

Discussion in 'privacy technology' started by Palancar, Mar 3, 2016.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Just starting a journey on something. Readers in this forum always get "preached" at about compartmentalization, which I support and understand. For the purposes of this post/thread I would like to look at ways to determine just how isolated my TBB workspace activity is from the hosting Linux VM.

    So lets construct a simple example. Computer is running linux bare metal host and is also hosting vpn1. Next we go to vpn2 (VM) and then we go to and are inside a Workspace running linux VM that is NAT/Bridge to vpn2.

    At this point my post and this thread starts:

    I will not argue and we don't need to debate that completely separate VM's for every TBB instance would likely be more secure. That is not my purpose here. For lighter threat model sites, such as here at Wilders I have decided at times to use multiple instances of the TBB "package" where each site uses its own individual TBB folder and setup. In keeping with the scheme presented in the example here that means that Wilder's would have its own TBB sitting on the desktop of the Linux workspace VM, and that desktop is NAT/Bridge to VPN2. Now when I access this site via the TBB it creates the 3 hop TOR circuit AFTER the two vpns in front of it. So far pretty easy to do and hopefully understand where we are at this point.

    But a question arises after spending a few hours here. By clicking on links within this forum, which may be referenced in various members posts, and/or making my own posts, just how much (if any) of my workspace activity might have leaked from the TBB to the hosting VM? The answer to this question is high priority to me. There are other TBB folders on the workspace VM desktop, which I only use when accessing those particular light threat model sites as well. Obviously, even though the threat model is low I am wanting to avoid cross-contamination if these TBB's are leaking since they are all hosted by a common VM. It is child's play to delete the various TBB's and copy new virgin ones at will, which is even better than snapshot restores.

    This is a learning exercise, hopefully.

    Do any of you guys have any links or ideas of where I might start this project?


    To avoid confusion this example/model is NOT one I would use while on the deep web, especially while on hidden servers with more than a light threat model.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Tor browser isolates activity in one tab from activity in other tabs. It's also designed to hide activity from Windows. So there's a pretty good chance that multiple Tor browser instances are well isolated. Two major leak risks come to mind, however. First, if the OS gets pwned, it's game over. Second, there's risk from saved files that phone home. You should have firewall rules that block all outgoing traffic, except via Tor.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    You used the "W" word - now go wash your mouth out with soap. You know me better than that! LOL!!

    I have been looking around in my VM and I don't see activity from TBB leaking to the machine. I delete (BleachBit) the VM, and clone from a clean virgin VM every week or so, but this means I don't have to do it every single day.

    I am comfortable with this procedure for light threat model needs. The higher threat model DW services stuff gets snapshot(s) every session. Add Whonix.


    Still open to investigative tools if something comes to anybody's mind on this. Thanks.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Have you been considering Firejail in this context? That would potentially give you multiple profiles for different activities, with different wipe policies.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Not actually.

    My focus is dual: Isolation is high priority. Common TOR fingerprint is also high priority. i.e. - isolate and blend in like all other TOR users.

    I have a TBB used in ONE site location. TBB in default settings other than NoScript fully on. Of course the minute I close the TOR browser all is gone, or so I have tried to configure that!


    I believe this configuration meets and even exceeds my needs for light threat model, provided minimal or no leaks to the hosting VM.
     
Loading...