CPUID

A checked version of this page, approved on 31 July 2022, was based on this revision.

CPUID Copy or share this direct link! Click = Copy Copied to clipboard! https://www.kicksecure.com/wiki/CPUID?oldid=59606#CPUID Click below ↴ = Copy to Clipboard Click = Copy Copied to clipboard! [[CPUID#CPUID|CPUID]]
Copy as Wikitext Click = Copy Copied to clipboard! [CPUID](https://www.kicksecure.com/wiki/CPUID?oldid=59606#CPUID)
for Discourse, reddit, GitHub Click = Copy Copied to clipboard! [CPUID](https://www.kicksecure.com/wiki/CPUID?oldid=59606#CPUID)
Copy as Markdown Click = Copy Copied to clipboard! [url=https://www.kicksecure.com/wiki/CPUID?oldid=59606#CPUID]CPUID[/url]
Copy as phpBB Click below ↴ = Open social URL with share data We don't use embedded scripts This share button is completely self-hosted by this webserver. No scripts from any of the social networks are embedded on this webserver. See also Social Share Button.

Two cases.

A) Remote CPUID: Even if the user has JavaScript enabled in their browser, websites cannot remotely detect the user's CPU model and capabilities.
B) Local CPUID: Unfortunately, locally running applications can use the non-privileged CPU instruction CPUID. This cannot be prevented.

The technical background of these two cases is being elaborated below.

CPUID technical background:

Importance of this wiki chapter: If the reader is time-poor, the rest of the text inside this box can be skipped.
Affected operating systems: All. This issue is unspecific to Kicksecure.
Affected computers: All Intel and AMD CPUs are affected since 1993.
workarounds available? None. There are no virtualizers capable to hide this information. ^[1]
CPUID technical introduction: Quote cpuid man page (Underline added.):
- The CPUID instruction can be directly executed by a program using inline assembler. However this device allows convenient access to all CPUs without changing process affinity. Most of the information in cpuid is reported by the kernel in cooked form either in /proc/cpuinfo or through subdirectories in /sys/devices/system/cpu. Direct CPUID access through this device should only be used in exceptional cases.
Remote websites: Cannot fingerprint the user to remotely detect the the user's CPU model and capabilities. There are no test pages that claim to do it. One websites might make a first impression that it can be done, but it's not possible, see cpuid visualizer browser test. CPUID in JavaScript cannot do it either. While JavaScript is often viewed as synonym with the browser, JavaScript can also be used with out a browser. The CPUID in JavaScript might work with JavaScript on a server but not with JavaScript in a browser.
- Popular demand by many website owners: Many people asked about this generally on stackexchange (detecting hardware information using JavaScript) but nobody had a solution for CPU model and capabilities specifically.
- No live demonstration available: There is no hosted web service that demonstrates this feature. At least a few of the many Browser Tests would implement this. Specifually likely the popular Fingerprint.com improve their service with CPUID if this was possible.
- Specifically asking: This question has been specifually directed at only project that does something similar to this, which is CPUID in JavaScript. The project does not claim it works in browsers. Question for this specifically has been asked anyhow, see Can cpuid x86 in JavaScript run inside a browser?
- AmIUnique feature request: detect CPUID using JavaScript - reply received in summary: Not possible.
- Alternative browser API: Since this is not possible, an alternative browser API feature navigator.hardwareConcurrency was implemented by browsers vendors.
- Alternative to CPUID: The closest alternative to CPU fingerprinting using CPUID that has been found is WebCPU.
Future: The Kicksecure project will not be able to fix the CPUID issue. At author if this wiki page is not aware of any virtualizer or kernel project which is interested in "hardware privacy". Very few related bug reports / feature requests exist. Users, researchers and developers interested in getting this issue fixed are encouraged to use the principles of Generic Bug Reporting and Free Support Principle, in short, reproduce, describe the issue without reference to Kicksecure and contact upstream projects (such as virtualizers, kernel) directly.
Related: VM Fingerprinting
References:
- Upstream bug reports / feature requests:
  - Qubes unfixed, rejected bug report: Stop telling VMs the exact physical CPU model in the computer
- Forum discussions:
- For developers:
  - The research paper Virtualization Detection: New Strategies and Their Effectiveness mentions CPUID several times and shares some ideas how leaking sensitive information using CPUID could be avoided.
  - https://security.stackexchange.com/questions/220357/fake-output-of-cpuid-instruction
  - https://github.com/torvalds/linux/blob/master/arch/x86/kvm/cpuid.c

↑ Cite error: Invalid <ref> tag; no text was provided for refs named universal-virtualizer-issue

[universal-virtualizer-issue-1] Cite error: Invalid <ref> tag; no text was provided for refs named universal-virtualizer-issue

[1]

CPUID

Navigation menu

Search