VM Live Mode: Stop Persistent Malware

From Kicksecure

VM Live Mode boot option selected in boot menu. (more screenshots)

Users can optionally run Kicksecure ™ as a live system. FREE Either by using:

This is unavailable in Kicksecure ™ for Qubes, but available in all other Kicksecure ™ variants.

The primary objective of VM live mode is preventing malware from gaining persistence and having an unchanged system after each reboot. This is also useful for improved storage device privacy as well as experimental changes like testing software.

  • Windows logo - 2012.svg.png Rsz osx.png Tux.png Any host operating system: Follow instructions on this wiki page to selectively run Kicksecure ™ virtual machine (VM) in Live Mode.
  • Debian.png Tux.png Debian hosts: It is possible to boot your existing, installed Debian host operating system into Live Mode by following the Host Live Mode wiki page instructions.

If you are interested in installation of Kicksecure ™ on USB, see Kicksecure ™ on USB.

Introduction[edit]

Booting into live mode will ensure all disk writes to the virtual hard drive are forgotten after shutdown because all writes go to volatile memory (RAM) instead of the hard disk. In other words, after shutdown everything that happened during a previous boot session will not be visible (persist) on the virtual hard drive, including:

  • everything that is created / changed / downloaded in the virtual machine (VM);
  • any websites visited, files downloaded or documents created; and
  • any other modifications of the virtual hard drive or activity history.

This also holds true for malicious changes made by malware, except when:

Info Tip: Since live mode makes each write go to RAM, increasing the memory assigned to the VM will improve performance; for example, if large files are regularly downloaded.

Warnings[edit]

Table: VM Live Mode Warnings

Domain Recommendations
Forensics By itself, starting a VM in live mode is not amnesic. Many users are unaware that activities performed inside the VM might be stored on the host mass storage device (hard drive, HDD, SSD) in locations that are hard to review (for the majority). Extra steps must be performed on the host operating system to minimize these traces -- see Anti-Forensics Precautions, or better, use Host Live Mode.
Malware To prevent malware from remounting the hard drive as read-write it is strongly recommended to use read-only hard drive mode. This raises the bar as malware would need to break out of the VM to gain persistence.
Other Precautions
  • Kicksecure ™: It is recommended to regularly boot into persistent mode for installation of updates.
  • Kicksecure ™: If live mode is used with Kicksecure ™, regularly booting into persistent mode is important to keep Tor's normal guard rotation schedule.
  • KVM: Hard shutdowns of a VM can prevent loading of the filesystem with a read-only marked drive on next boot. Do not use 'Force Off/Reset' on KVM to avoid this possibility.

Live Mode on Kicksecure ™[edit]

The first start of Kicksecure ™ should not use live mode. This will allow Tor to make use of Tor Entry Guards.

From the second start of Kicksecure ™ it is recommended to run it in live mode. This should eliminate any Tor-related, cached data like DNS requests that could leave traces about web activity. However be warned that it may make your Tor behavior distinguishable from regular Tor users:

  • Consensus files: These files will be (re-)downloaded more frequently.
  • Tor guards: When switching to a new guard after some months have passed. [2]

Instructions[edit]

1. Shut down the Kicksecure ™ VM.

2. Power on the Kicksecure ™ VM.

3. During the grub boot menu wait until you see the following.

Develop a very basic understand of the following screenshot. Consider the explanation below. Expected time requirement: 1 - 3 minutes.

Figure: Persistent Mode Boot

Persistent Mode Boot

The following screenshot shows 4 boot options in the boot menu.

  • Asterisk symbol.png Kicksecure GNU/Linux
  • Advanced options for Kicksecure GNU/Linux
  • Kicksecure Live-mode GNU/Linux
  • Advanced options forKicksecure Live-mode GNU/Linux

The Asterisk symbol.png in the first option indicates that this is the currently selected boot option.

The white text color on the blue background further indicates the currently selected boot option. Other boot options currently unselected have light blue text color.

This is also illustrated by the first option with the Asterisk symbol.png Kicksecure GNU/Linux also being written in white color instead of light blue color.

4. Use the arrow key on the keyboard to switch to live mode.

Figure: Live Mode Boot (non-persistent)

Live Mode Boot

5. Press enter.

6. Done.

The system is booting into live mode.

Functionality Test[edit]

Create a new file in your home directory then reboot (assuming you were already booted in the live mode from the boot menu) then restart the VM. You should not see that file anymore.

Miscellaneous[edit]

In the future, running Kicksecure ™ from a Live DVD or Live USB might be supported.

VM Live Mode vs VM Snapshots[edit]

Starting with a clean VM snapshot and later reverting to that snapshot should be even safer than VM live mode. That is because snapshots are enforced from outside the VM. In other words, snapshots are enforced by the virtualizer on the VM. Therefore more secure.

It is also worth mentioning that running VM live mode takes up more RAM that is allocated to the guest, since it runs the OS entirely in the memory. That means in some worse cases, it's more likely for VM live mode to run into disk thrashing, where the VM uses up all the allocated memory, and becomes significantly slower. The snapshot approach doesn't have this problem with RAM.

It is difficult to imagine a case currently where the combination of VM live mode in combination with reverting to a clean snapshot would be even safer. Perhaps in case there was a virtualizer bug with snapshots and/or user error forgetting to revert to a snapshot.

For even more security, the user could consider Host Live Mode or even host disk snapshots, that is Raw Disk Backup and restoration which would unfortunately be more cumbersome and time intensive.

Technical Details[edit]

Most users can skip this chapter. See livecheck.sh for further script details.

  • The meaning of 0 in lsblk output is read-write.
  • The meaning of 1 in lsblk output is read-only.

If anything in coloumn RO is set to 0, then it is not blessed read-only hard drive mode.


Example lsblk without any snapd installed, Kicksecure, live mode, and read-only hard drive mode enabled.

sudo lsblk --all
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  100G  1 disk
└─sda1   8:1    0  100G  1 part /lib/live/mount/medium

Example lsblk without any snapd installed, Kicksecure, live mode, and read-only hard drive mode disabled.

sudo lsblk --all
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  100G  0 disk
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium

Example lsblk with snapd and WickrMe installed, Kicksecure ™, persistent mode, and read-only hard drive mode disabled.

sudo lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop0    7:0    0 62.1M  1 loop /snap/gtk-common-themes/1506
loop1    7:1    0  446M  1 loop /snap/wickrme/352
loop2    7:2    0   55M  1 loop /snap/core18/1754
sda      8:0    0  100G  0 disk
└─sda1   8:1    0  100G  0 part /lib/live/mount/medium
sr0     11:0    1 1024M  0 rom

See Also[edit]

Footnotes[edit]

  1. There are two live mode options available, grub-live and ro-mode-init.
  2. https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/127


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.