1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<chapter id="Security">
<title>Security guide</title>
<sect1>
<title>Overview</title>
<para>
</para>
<sect2>
<title>General Security Principles</title>
<para>The following principles are fundamental to using any application
securely.
<glosslist>
<glossentry>
<glossterm>Keep Software Up To Date</glossterm>
<glossdef>
<para>
One of the principles of good security practise is to keep all
software versions and patches up to date. Activate the VirtualBox
update notification to get notified when a new VirtualBox release
is available. When updating VirtualBox, do not forget to update
the Guest Additions. Keep the host operating system as well as the
guest operating system up to date.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Restrict Network Access to Critical Services</glossterm>
<glossdef>
<para>
Use proper means, for instance a firewall, to protect your computer
and your guest(s) from accesses from the outside. Choosing the proper
networking mode for VMs helps to separate host networking from the
guest and vice versa.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Follow the Principle of Least Privilege</glossterm>
<glossdef>
<para>
The principle of least privilege states that users should be given the
least amount of privilege necessary to perform their jobs. Always execute VirtualBox
as a regular user. We strongly discourage anyone from executing
VirtualBox with system privileges.
</para>
<para>
Choose restrictive permissions when creating configuration files,
for instance when creating /etc/default/virtualbox, see
<xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Monitor System Activity</glossterm>
<glossdef>
<para>
System security builds on three pillars: good security protocols, proper
system configuration and system monitoring. Auditing and reviewing audit
records address the third requirement. Each component within a system
has some degree of monitoring capability. Follow audit advice in this
document and regularly monitor audit records.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm>Keep Up To Date on Latest Security Information</glossterm>
<glossdef>
<para>
Oracle continually improves its software and documentation. Check this
note note yearly for revisions.
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</sect2>
</sect1>
<sect1>
<title>Secure Installation and Configuration</title>
</sect1>
<sect2>
<title>Installation Overview</title>
<para>
The VirtualBox base package should be downloaded only from a trusted source,
for instance the official website
<ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
The integrity of the package should be verified with the provided SHA256
checksum which can be found on the official website.
</para>
<para>
General VirtualBox installation instructions for the supported hosts
can be found in <xref linkend="installation"/>.
</para>
<para>
On Windows hosts, the installer allows for disabling USB support, support
for bridged networking, support for host-only networking and the Python
language bindings, see <xref linkend="installation_windows"/>.
All these features are enabled by default but disabling some
of them could be appropriate if the corresponding functionality is not
required by any virtual machine. The Python language bindings are only
required if the VirtualBox API is to be used by external Python
applications. In particular USB support and support
for the two networking modes require the installation of Windows kernel
drivers on the host. Therefore disabling those selected features can
not only be used to restrict the user to certain functionality but
also to minimize the surface provided to a potential attacker. </para>
<para>
The general case is to install the complete VirtualBox package. The
installation must be done with system privileges. All VirtualBox binaries
should be executed as a regular user and never as a privileged user.
</para>
<para>
The Oracle VM VirtualBox extension pack provides additional features
and must be downloaded and installed separately, see
<xref linkend="intro-installing"/>. As for the base package, the SHA256
checksum of the extension pack should be verified. As the installation
requires system privileges, VirtualBox will ask for the system
password during the installation of the extension pack.
</para>
</sect2>
<sect2>
<title>Post Installation Configuration</title>
<para>
Normally there is no post installation configuration of VirtualBox components
required. However, on Solaris and Linux hosts it is necessary to configure
the proper permissions for users executing VMs and who should be able to
access certain host resources. For instance, Linux users must be member of
the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
guest. If a serial host interface should be accessed from a VM, the proper
permissions must be granted to the user to be able to access that device.
The same applies to other resources like raw partitions, DVD/CD drives
and sound devices.
</para>
</sect2>
<sect1>
<title>Security Features</title>
<para>This section outlines the specific security mechanisms offered
by VirtualBox.</para>
<sect2>
<title>The Security Model</title>
<para>
One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
a guest by executing it in a protected environment, a virtual machine,
running as a user process on the host operating system. The guest cannot
communicate directly with the hardware or other computers but only through
the VMM. The VMM provides emulated physical resources and devices to the
guest which are accessed by the guest operating system to perform the required
tasks. The VM settings control the resources provided to the guest, for example
the amount of guest memory or the number of guest processors, (see
<xref linkend="generalsettings"/>) and the enabled features for that guest
(for example remote control, certain screen settings and others).
</para>
</sect2>
<sect2>
<title>Secure Configuration of Virtual Machines</title>
<para>
Several aspects of a virtual machine configuration are subject to security
considerations.</para>
<sect3>
<title>Networking</title>
<para>
The default networking mode for VMs is NAT which means that
the VM acts like a computer behind a router, see
<xref linkend="network_nat"/>. The guest is part of a private
subnet belonging to this VM and the guest IP is not visible
from the outside. This networking mode works without
any additional setup and is sufficient for many purposes.
</para>
<para>
If bridged networking is used, the VM acts like a computer inside
the same network as the host, see <xref linkend="network_bridged"/>.
In this case, the guest has the same network access as the host and
a firewall might be necessary to protect other computers on the
subnet from a potential malicious guest as well as to protect the
guest from a direct access from other computers. In some cases it is
worth considering using a forwarding rule for a specific port in NAT
mode instead of using bridged networking.
</para>
<para>
Some setups do not require a VM to be connected to the public network
at all. Internal networking (see <xref linkend="network_internal"/>)
or host-only networking (see <xref linkend="network_hostonly"/>)
are often sufficient to connect VMs among each other or to connect
VMs only with the host but not with the public network.
</para>
</sect3>
<sect3>
<title>VRDP remote desktop authentication</title>
<para>When using the VirtualBox extension pack provided by Oracle
for VRDP remote desktop support, you can optionally use various
methods to configure RDP authentication. The "null" method is
very insecure and should be avoided in a public network.
See <xref linkend="vbox-auth" /> for details.</para>
</sect3>
<sect3 id="security_clipboard">
<title>Clipboard</title>
<para>
The shared clipboard allows users to share data between the host and
the guest. Enabling the clipboard in "Bidirectional" mode allows
the guest to read and write the host clipboard. The "Host to guest"
mode and the "Guest to host" mode limit the access to one
direction. If the guest is able to access the host clipboard it
can also potentially access sensitive data from the host which is
shared over the clipboard.
</para>
<para>
If the guest is able to read from and/or write to the host clipboard
then a remote user connecting to the guest over the network will also
gain this ability, which may not be desirable. As a consequence, the
shared clipboard is disabled for new machines.
</para>
</sect3>
<sect3>
<title>Shared folders</title>
<para>If any host folder is shared with the guest then a remote
user connected to the guest over the network can access
these files too as the folder sharing mechanism cannot be
selectively disabled for remote users.
</para>
</sect3>
<sect3>
<title>3D graphics acceleration</title>
<para>Enabling 3D graphics via the Guest Additions exposes the host
to additional security risks; see <xref
linkend="guestadd-3d" />.</para>
</sect3>
<sect3>
<title>CD/DVD passthrough</title>
<para>Enabling CD/DVD passthrough allows the guest to perform advanced
operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
This could induce a security risk as a guest could overwrite data
on a CD/DVD medium.
</para>
</sect3>
<sect3>
<title>USB passthrough</title>
<para>
Passing USB devices to the guest provides the guest full access
to these devices, see <xref linkend="settings-usb"/>. For instance,
in addition to reading and writing the content of the partitions
of an external USB disk the guest will be also able to read and
write the partition table and hardware data of that disk.
</para>
</sect3>
</sect2>
<sect2>
<title>Configuring and Using Authentication</title>
<para>The following components of VirtualBox can use passwords for
authentication:<itemizedlist>
<listitem>
<para>When using remote iSCSI storage and the storage server
requires authentication, an initiator secret can optionally be supplied
with the <computeroutput>VBoxManage storageattach</computeroutput>
command. As long as no settings password is provided (command line
option <screen>--settingspwfile</screen>, this secret is
stored <emphasis role="bold">unencrypted</emphasis> in the machine
configuration and is therefore potentially readable on the host.
See <xref
linkend="storage-iscsi" /> and <xref
linkend="vboxmanage-storageattach" />.</para>
</listitem>
<listitem>
<para>When using the VirtualBox web service to control a VirtualBox
host remotely, connections to the web service are authenticated in
various ways. This is described in detail in the VirtualBox Software
Development Kit (SDK) reference; please see <xref
linkend="VirtualBoxAPI" />.</para>
</listitem>
</itemizedlist></para>
</sect2>
<!--
<sect2>
<title>Configuring and Using Access Control</title>
</sect2>
<sect2>
<title>Configuring and Using Security Audit</title>
</sect2>
<sect2>
<title>Congiguring and Using Other Security Features</title>
</sect2>
-->
<sect2>
<title>Potentially insecure operations</title>
<para>The following features of VirtualBox can present security
problems:<itemizedlist>
<listitem>
<para>Enabling 3D graphics via the Guest Additions exposes the host
to additional security risks; see <xref
linkend="guestadd-3d" />.</para>
</listitem>
<listitem>
<para>When teleporting a machine, the data stream through which the
machine's memory contents are transferred from one host to another
is not encrypted. A third party with access to the network through
which the data is transferred could therefore intercept that
data. An SSH tunnel could be used to secure the connection between
the two hosts. But when considering teleporting a VM over an untrusted
network the first question to answer is how both VMs can securely
access the same virtual disk image(s) with a reasonable performance. </para>
</listitem>
<listitem>
<para>When using the VirtualBox web service to control a VirtualBox
host remotely, connections to the web service (through which the API
calls are transferred via SOAP XML) are not encrypted, but use plain
HTTP by default. This is a potential security risk! For details about
the web service, please see <xref linkend="VirtualBoxAPI" />.</para>
<para>The web services are not started by default. Please refer to
<xref linkend="vboxwebsrv-daemon"/> to find out how to start this
service and how to enable SSL/TLS support. It has to be started as
a regular user and only the VMs of that user can be controled. By
default, the service binds to localhost preventing any remote connection.</para>
</listitem>
<listitem>
<para>Traffic sent over a UDP Tunnel network attachment is not
encrypted. You can either encrypt it on the host network level (with
IPsec), or use encrypted protocols in the guest network (such as
SSH). The security properties are similar to bridged Ethernet.</para>
</listitem>
</itemizedlist></para>
</sect2>
<sect2>
<title>Encryption</title>
<para>The following components of VirtualBox use encryption to protect
sensitive data:<itemizedlist>
<listitem>
<para>When using the VirtualBox extension pack provided by Oracle
for VRDP remote desktop support, RDP data can optionally be
encrypted. See <xref linkend="vrde-crypt" /> for details. Only
the Enhanced RDP Security method (RDP5.2) with TLS protocol
provides a secure connection. Standard RDP Security (RDP4 and
RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
</listitem>
</itemizedlist></para>
</sect2>
</sect1>
<!--
<sect1>
<title>Security Considerations for Developers</title>
</sect1>
-->
</chapter>
|
