Whonix
Whonix is a Debian GNU/Linux based security-focused Linux distribution. It aims to provide privacy, security and anonymity on the internet. The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway", running Debian GNU/Linux. All communication are forced through the Tor network to accomplish this.
Design
Whonix is distributed as two virtual machine images: a "Gateway" and a "Workstation". These images are installed on a user-provided host operating system. Each VM image contains a customized GNU/Linux instance based on Debian. Updates are distributed via Tor using Debian's apt-get package manager.
The supported virtualization engine is VirtualBox. Linux KVM may be used, but this configuration is not yet considered stable or supported by Whonix's developer.
On startup, each VM runs a check to ensure that the software is up to date, and that the date and time are set correctly.
The Gateway VM is responsible for running Tor, and has two virtual network interfaces. One of these is connected to the outside Internet via NAT on the VM host, and is used to communicate with Tor relays. The other is connected to a virtual LAN that runs entirely inside the host.
The Workstation VM runs user applications. It is connected only to the internal virtual LAN, and can directly communicate only with the Gateway, which forces all traffic coming from the Workstation to pass through the Tor network. The Workstation VM can "see" only IP addresses on the Internal LAN, which are the same in every Whonix installation.
User applications therefore have no knowledge of the user's "real" IP address, nor do they have access to any information about the physical hardware. In order to obtain such information, an application would have to find a way "break out" of VirtualBox, or to subvert the Gateway (probably through a bug in Tor or the Gateway's Linux kernel).
The Web browser pre-installed in the Workstation VM is the modified version of Mozilla Firefox provided by the Tor Project as part of its Tor Browser package. This browser has been changed to reduce the amount of system-specific information leaked to Web servers.
Unlike Tails, Whonix is not "amnesic"; both the Gateway and the Workstation retain their past state across reboots. Not being amnesic improves security on the Gateway, by allowing Tor's "entry guard" system to choose long-lived entry points for the Tor network, reducing adversaries' ability to trap users by running malicious relays.
On the other hand, a non-amnesic Workstation could possibly allow attackers, especially operators of Web services, to inject state and associate a user's sessions with one another, despite the Tor Browser's safeguards; for some users, this could be a serious security exposure. It is possible for users to force the Workstation to be partly or wholly amnesic by manually resetting it to old states after use, although the developer does not suggest this. It is also possible to run more than one Workstation VM with a single Gateway.
An "advanced" configuration uses two physically separate computers, with the Gateway running on the actual hardware of one of the computers, and the Workstation running in a VM hosted on the second. This protects against attacks on VirtualBox itself.