Title: Question on Anonymity-Oriented System Design Using Genode

Hello Genode community,
I am currently learning Genode from a security and system-architecture perspective and would like to ask a focused question regarding an anonymity-oriented design.
Instead of porting Whonix directly, I am interested in whether a Whonix-like isolation model could be expressed using Genode’s capability-based architecture:
a strictly isolated network gateway component (Tor-only egress),
one or more application components with no direct network access,
explicit, minimal capability channels between them,
optionally running Tor inside a confined Linux subsystem.
At this stage, I am mainly looking for architectural guidance, not implementation instructions.
My main questions are:
Has Genode been used or discussed before in the context of Tor or anonymity-oriented designs?
From a Genode perspective, is confining Tor inside a Linux subsystem generally considered the most realistic approach?
Are there any Genode mechanisms or patterns that would naturally support this kind of strict network mediation?
I understand that Genode is not intended as a consumer anonymity OS; this is purely a learning and exploratory effort.
Any pointers, references, or critical feedback would be very helpful.
Best regards,

cocil

Welcome to the forum, and thank you for the interest in Genode!

Guided by a similar intuition as you expressed, we actually ported TOR to Genode in version 16.08. Unfortunately, after some years of neglect, it was ultimately removed again. However, the approach taken by the original port still holds today. So the release notes for version 16.08 could be a suitable starting point for your investigation.

For more recent network-gateway scenario to study, you may consider the release documentation about our port of WireGuard in version 22.05.

With respect to system architecture, I warmly recommend following the beaten tracks of Sculpt OS, which solves a lot of operating-system needs in a manner true to Genode’s (least-privilege) principles.

Have fun with exploring Genode!

I know there has been some discussion about Genode and other operating systems (Qubes, Tails, Subgraph) on the secure-os.org mailing list (available via Internet Archive). Again, like @nfeske mentioned, Tor was briefly available in Genode.

It may be easier to handle stream isolation as each application runs as a separate component, so you could handle each one over a different SOCKS port. Although, I am not sure as to the anonymity pros/cons of simply running the Tor process in Genode and using it as a transparent proxy. I am aware that one of the developers of Subgraph mentioned that they needed an application firewall in order to safely handle the torification of generic applications.

We felt that transparent torification is extremely risky without an application firewall,
as many applications may egress naively, exposing the host and the user to a
heightened possibility of interference by active attackers (i.e. MITM by hostile exit
node) or leak identifying user/location/platform/etc information that undermines
Tor and compromises user privacy.

Naive egress over Tor is very risky, this is why the TorBrowser exists. Most
applications were not developed for use over Tor.

Therefore the application firewall is so important that we can’t release an
alpha without it.

I am confused by this. Are you talking about running a separate Tor process, per component that needs to be torified, and then “a strictly isolated network gateway component (Tor-only egress)” that allows Tor traffic from those components specifically out to the Internet? If this is the case, then you should probably just transparent proxy the applications instead, at the “gateway component”. If I have misinterpreted this, please feel free to correct me.

A clear benefit of this approach over something like running a Whonix Gateway VM in Genode, is that the resource consumption would be much lower as you are only running a single, isolated Tor process. This also means that you can easily run multiple copies of Tor simultaneously, avoiding the issues that can arise when funnelling traffic through a single instance of Tor (traffic correlation), without using GBs of RAM to run a whole OS.

However, if we are talking about an “Anonymity-Oriented System”, then the TBB is likely a more important component that needs to arrive in Genode firsthand, before considering generic application proxying. While it is possible to install it into a VM, I would expect to have it natively running in an “Anonymity-Oriented System”.

If so, then you may want to consider other means of achieving anonymity such as Kloak. I think that it would be interesting to introduce a semi-random delay to all keyboard/mouse inputs (maybe via the event filter?), in order to defeat some forms of tracking. It would also be useful to make certain Genode-native components Tor-aware for handling .onion addresses e.g. a Genode depot served over an onion domain.

thanks

tickzip <notifications@genode.discoursemail.com> 于 2026年1月29日周四 01:20写道：