diff options
Diffstat (limited to '')
| -rw-r--r-- | doc/manual/en_US/user_Security.xml | 729 |
1 files changed, 729 insertions, 0 deletions
diff --git a/doc/manual/en_US/user_Security.xml b/doc/manual/en_US/user_Security.xml new file mode 100644 index 00000000..e0387e9e --- /dev/null +++ b/doc/manual/en_US/user_Security.xml @@ -0,0 +1,729 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" +"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[ +<!ENTITY % all.entities SYSTEM "all-entities.ent"> +%all.entities; +]> +<chapter id="Security"> + + <title>Security Guide</title> + + <sect1 id="security-general"> + + <title>General Security Principles</title> + + <para> + The following principles are fundamental to using any application + securely. + </para> + + <itemizedlist> + + <listitem> + <para> + <emphasis role="bold">Keep software up to date</emphasis>. One + of the principles of good security practise is to keep all + software versions and patches up to date. Activate the + &product-name; update notification to get notified when a new + &product-name; release is available. When updating + &product-name;, do not forget to update the Guest Additions. + Keep the host operating system as well as the guest operating + system up to date. + </para> + </listitem> + + <listitem> + <para> + <emphasis role="bold">Restrict network access to critical + services.</emphasis> Use proper means, for instance a + firewall, to protect your computer and your guests from + accesses from the outside. Choosing the proper networking mode + for VMs helps to separate host networking from the guest and + vice versa. + </para> + </listitem> + + <listitem> + <para> + <emphasis role="bold">Follow the principle of least + privilege.</emphasis> The principle of least privilege states + that users should be given the least amount of privilege + necessary to perform their jobs. Always execute &product-name; + as a regular user. We strongly discourage anyone from + executing &product-name; with system privileges. + </para> + + <para> + Choose restrictive permissions when creating configuration + files, for instance when creating /etc/default/virtualbox, see + <xref linkend="linux_install_opts"/>. Mode 0600 is preferred. + </para> + </listitem> + + <listitem> + <para> + <emphasis role="bold">Monitor system activity.</emphasis> + System security builds on three pillars: good security + protocols, proper system configuration and system monitoring. + Auditing and reviewing audit records address the third + requirement. Each component within a system has some degree of + monitoring capability. Follow audit advice in this document + and regularly monitor audit records. + </para> + </listitem> + + <listitem> + <para> + <emphasis role="bold">Keep up to date on latest security + information.</emphasis> Oracle continually improves its + software and documentation. Check this note yearly for + revisions. + </para> + </listitem> + + </itemizedlist> + + </sect1> + + <sect1 id="security-secure-install"> + + <title>Secure Installation and Configuration</title> + + <sect2 id="security-secure-install-overview"> + + <title>Installation Overview</title> + + <para> + The &product-name; base package should be downloaded only from a + trusted source, for instance the official website + <ulink url="http://www.virtualbox.org" />. The integrity of the + package should be verified with the provided SHA256 checksum + which can be found on the official website. + </para> + + <para> + General &product-name; installation instructions for the + supported hosts can be found in <xref linkend="installation"/>. + </para> + + <para> + On Windows hosts, the installer can be used to disable USB + support, support for bridged networking, support for host-only + networking and the Python language binding. See + <xref linkend="installation_windows"/>. All these features are + enabled by default but disabling some of them could be + appropriate if the corresponding functionality is not required + by any virtual machine. The Python language bindings are only + required if the &product-name; API is to be used by external + Python applications. In particular USB support and support for + the two networking modes require the installation of Windows + kernel drivers on the host. Therefore disabling those selected + features can not only be used to restrict the user to certain + functionality but also to minimize the surface provided to a + potential attacker. + </para> + + <para> + The general case is to install the complete &product-name; + package. The installation must be done with system privileges. + All &product-name; binaries should be executed as a regular user + and never as a privileged user. + </para> + + <para> + The &product-name; Extension Pack provides additional features + and must be downloaded and installed separately, see + <xref linkend="intro-installing"/>. As for the base package, the + SHA256 checksum of the extension pack should be verified. As the + installation requires system privileges, &product-name; will ask + for the system password during the installation of the extension + pack. + </para> + + </sect2> + + <sect2 id="security-secure-install-postinstall"> + + <title>Post Installation Configuration</title> + + <para> + Normally there is no post installation configuration of + &product-name; components required. However, on Oracle Solaris + and Linux hosts it is necessary to configure the proper + permissions for users executing VMs and who should be able to + access certain host resources. For instance, Linux users must be + member of the <emphasis>vboxusers</emphasis> group to be able to + pass USB devices to a guest. If a serial host interface should + be accessed from a VM, the proper permissions must be granted to + the user to be able to access that device. The same applies to + other resources like raw partitions, DVD/CD drives, and sound + devices. + </para> + + </sect2> + + </sect1> + + <sect1 id="security-features"> + + <title>Security Features</title> + + <para> + This section outlines the specific security mechanisms offered by + &product-name;. + </para> + + <sect2 id="security-model"> + + <title>The Security Model</title> + + <para> + One property of virtual machine monitors (VMMs) like + &product-name; is to encapsulate a guest by executing it in a + protected environment, a virtual machine, running as a user + process on the host operating system. The guest cannot + communicate directly with the hardware or other computers but + only through the VMM. The VMM provides emulated physical + resources and devices to the guest which are accessed by the + guest operating system to perform the required tasks. The VM + settings control the resources provided to the guest, for + example the amount of guest memory or the number of guest + processors and the enabled features for that guest. For example + remote control, certain screen settings and others. See + <xref linkend="generalsettings"/>. + </para> + + </sect2> + + <sect2 id="secure-config-vms"> + + <title>Secure Configuration of Virtual Machines</title> + + <para> + Several aspects of a virtual machine configuration are subject + to security considerations. + </para> + + <sect3 id="security-networking"> + + <title>Networking</title> + + <para> + The default networking mode for VMs is NAT which means that + the VM acts like a computer behind a router, see + <xref linkend="network_nat"/>. The guest is part of a private + subnet belonging to this VM and the guest IP is not visible + from the outside. This networking mode works without any + additional setup and is sufficient for many purposes. Keep in + mind that NAT allows access to the host operating system's + loopback interface. + </para> + + <para> + If bridged networking is used, the VM acts like a computer + inside the same network as the host, see + <xref linkend="network_bridged"/>. In this case, the guest has + the same network access as the host and a firewall might be + necessary to protect other computers on the subnet from a + potential malicious guest as well as to protect the guest from + a direct access from other computers. In some cases it is + worth considering using a forwarding rule for a specific port + in NAT mode instead of using bridged networking. + </para> + + <para> + Some setups do not require a VM to be connected to the public + network at all. Internal networking, see + <xref linkend="network_internal"/>, or host-only networking, + see <xref linkend="network_hostonly"/>, are often sufficient + to connect VMs among each other or to connect VMs only with + the host but not with the public network. + </para> + + </sect3> + + <sect3 id="security-vrdp-auth"> + + <title>VRDP Remote Desktop Authentication</title> + + <para> + When using the &product-name; Extension Pack provided by + Oracle for VRDP remote desktop support, you can optionally use + various methods to configure RDP authentication. The "null" + method is very insecure and should be avoided in a public + network. See <xref linkend="vbox-auth" />. + </para> + + </sect3> + + <sect3 id="security_clipboard"> + + <title>Clipboard</title> + + <para> + The shared clipboard enables users to share data between the + host and the guest. Enabling the clipboard in Bidirectional + mode enables the guest to read and write the host clipboard. + The Host to Guest mode and the Guest to Host mode limit the + access to one direction. If the guest is able to access the + host clipboard it can also potentially access sensitive data + from the host which is shared over the clipboard. + </para> + + <para> + If the guest is able to read from and/or write to the host + clipboard then a remote user connecting to the guest over the + network will also gain this ability, which may not be + desirable. As a consequence, the shared clipboard is disabled + for new machines. + </para> + + </sect3> + + <sect3 id="security-shared-folders"> + + <title>Shared Folders</title> + + <para> + If any host folder is shared with the guest then a remote user + connected to the guest over the network can access these files + too as the folder sharing mechanism cannot be selectively + disabled for remote users. + </para> + + </sect3> + + <sect3 id="security-3d-graphics"> + + <title>3D Graphics Acceleration</title> + + <para> + Enabling 3D graphics using the Guest Additions exposes the + host to additional security risks. See + <xref + linkend="guestadd-3d" />. + </para> + + </sect3> + + <sect3 id="security-cd-dvd-passthrough"> + + <title>CD/DVD Passthrough</title> + + <para> + Enabling CD/DVD passthrough enables the guest to perform + advanced operations on the CD/DVD drive, see + <xref linkend="storage-cds"/>. This could induce a security + risk as a guest could overwrite data on a CD/DVD medium. + </para> + + </sect3> + + <sect3 id="security-usb-passthrough"> + + <title>USB Passthrough</title> + + <para> + Passing USB devices to the guest provides the guest full + access to these devices, see <xref linkend="settings-usb"/>. + For instance, in addition to reading and writing the content + of the partitions of an external USB disk the guest will be + also able to read and write the partition table and hardware + data of that disk. + </para> + + </sect3> + + </sect2> + + <sect2 id="auth-config-using"> + + <title>Configuring and Using Authentication</title> + + <para> + The following components of &product-name; can use passwords for + authentication: + </para> + + <itemizedlist> + + <listitem> + <para> + When using remote iSCSI storage and the storage server + requires authentication, an initiator secret can optionally + be supplied with the <command>VBoxManage + storageattach</command> command. As long as no settings + password is provided, by using the command line option + <option>--settingspwfile</option>, then this secret is + stored <emphasis>unencrypted</emphasis> in the machine + configuration and is therefore potentially readable on the + host. See <xref linkend="storage-iscsi" /> and + <xref linkend="vboxmanage-storageattach" />. + </para> + </listitem> + + <listitem> + <para> + When using the &product-name; web service to control an + &product-name; host remotely, connections to the web service + are authenticated in various ways. This is described in + detail in the &product-name; Software Development Kit (SDK) + reference. See <xref linkend="VirtualBoxAPI" />. + </para> + </listitem> + + </itemizedlist> + + </sect2> + +<!-- + <sect2 id="access-control-config-using"> + <title>Configuring and Using Access Control</title> + </sect2> + + <sect2 id="security-audit-config-using"> + <title>Configuring and Using Security Audit</title> + </sect2> + + <sect2 id="security-other-features-config-using"> + <title>Configuring and Using Other Security Features</title> + </sect2> + --> + + <sect2 id="pot-insecure"> + + <title>Potentially Insecure Operations</title> + + <para> + The following features of &product-name; can present security + problems: + </para> + + <itemizedlist> + + <listitem> + <para> + Enabling 3D graphics using the Guest Additions exposes the + host to additional security risks. See + <xref + linkend="guestadd-3d" />. + </para> + </listitem> + + <listitem> + <para> + When teleporting a machine, the data stream through which + the machine's memory contents are transferred from one host + to another is not encrypted. A third party with access to + the network through which the data is transferred could + therefore intercept that data. An SSH tunnel could be used + to secure the connection between the two hosts. But when + considering teleporting a VM over an untrusted network the + first question to answer is how both VMs can securely access + the same virtual disk image with a reasonable performance. + </para> + </listitem> + + <listitem> + <para> + When Page Fusion, see <xref linkend="guestadd-pagefusion"/>, + is enabled, it is possible that a side-channel opens up that + enables a malicious guest to determine the address space of + another VM running on the same host layout. For example, + where DLLs are typically loaded. This information leak in + itself is harmless, however the malicious guest may use it + to optimize attack against that VM through unrelated attack + vectors. It is recommended to only enable Page Fusion if you + do not think this is a concern in your setup. + </para> + </listitem> + + <listitem> + <para> + When using the &product-name; web service to control an + &product-name; host remotely, connections to the web + service, over which the API calls are transferred using SOAP + XML, are not encrypted. They use plain HTTP by default. This + is a potential security risk. For details about the web + service, see <xref linkend="VirtualBoxAPI" />. + </para> + + <para> + The web services are not started by default. See + <xref linkend="vboxwebsrv-daemon"/> to find out how to start + this service and how to enable SSL/TLS support. It has to be + started as a regular user and only the VMs of that user can + be controlled. By default, the service binds to localhost + preventing any remote connection. + </para> + </listitem> + + <listitem> + <para> + Traffic sent over a UDP Tunnel network attachment is not + encrypted. You can either encrypt it on the host network + level, with IPsec, or use encrypted protocols in the guest + network, such as SSH. The security properties are similar to + bridged Ethernet. + </para> + </listitem> + + <listitem> + <para> + Because of shortcomings in older Windows versions, using + &product-name; on Windows versions older than Vista with + Service Pack 1 is not recommended. + </para> + </listitem> + + </itemizedlist> + + </sect2> + + <sect2 id="security-encryption"> + + <title>Encryption</title> + + <para> + The following components of &product-name; use encryption to + protect sensitive data: + </para> + + <itemizedlist> + + <listitem> + <para> + When using the &product-name; Extension Pack provided by + Oracle for VRDP remote desktop support, RDP data can + optionally be encrypted. See <xref linkend="vrde-crypt" />. + Only the Enhanced RDP Security method (RDP5.2) with TLS + protocol provides a secure connection. Standard RDP Security + (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle + attack. + </para> + </listitem> + + <listitem> + <para> + When using the &product-name; Extension Pack provided by + Oracle for disk encryption, the data stored in disk images + can optionally be encrypted. See + <xref linkend="diskencryption" />. This feature covers disk + image content only. All other data for a virtual machine is + stored unencrypted, including the VM's memory and device + state which is stored as part of a saved state, both when + created explicitly or part of a snapshot of a running VM. + </para> + </listitem> + + </itemizedlist> + + </sect2> + + </sect1> + +<!-- + <sect1 id="security-devel"> + <title>Security Considerations for Developers</title> + </sect1> + --> + + <sect1 id="security-recommendations"> + + <title>Security Recommendations</title> + + <para> + This section contains security recommendations for specific + issues. By default VirtualBox will configure the VMs to run in a + secure manner, however this may not always be possible without + additional user actions such as host OS or firmware configuration + changes. + </para> + + <sect2 id="sec-rec-cve-2018-3646"> + + <title>CVE-2018-3646</title> + + <para> + This security issue affect a range of Intel CPUs with nested + paging. AMD CPUs are expected not to be impacted (pending direct + confirmation by AMD). Also the issue does not affect VMs running + with hardware virtualization disabled or with nested paging + disabled. + </para> + + <para> + For more information about nested paging, see + <xref linkend="nestedpaging" />. + </para> + + <para> + The following mitigation options are available. + </para> + + <sect3> + + <title>Disable Nested Paging</title> + + <para> + By disabling nested paging (EPT), the VMM will construct page + tables shadowing the ones in the guest. It is no possible for + the guest to insert anything fishy into the page tables, since + the VMM carefully validates each entry before shadowing it. + </para> + + <para> + As a side effect of disabling nested paging, several CPU + features will not be made available to the guest. Among these + features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all + guests may be able to cope with dropping these features after + installation. Also, for some guests, especially in SMP + configurations, there could be stability issues arising from + disabling nested paging. Finally, some workloads may + experience a performance degradation. + </para> + + </sect3> + + <sect3> + + <title>Flushing the Level 1 Data Cache</title> + + <para> + This aims at removing potentially sensitive data from the + level 1 data cache when running guest code. However, it is + made difficult by hyper-threading setups sharing the level 1 + cache and thereby potentially letting the other thread in a + pair refill the cache with data the user does not want the + guest to see. In addition, flushing the level 1 data cache is + usually not without performance side effects. + </para> + + <para> + Up to date CPU microcode is a prerequisite for the cache + flushing mitigations. Some host OSes may install these + automatically, though it has traditionally been a task best + performed by the system firmware. So, please check with your + system / mainboard manufacturer for the latest firmware + update. + </para> + + <para> + We recommend disabling hyper threading on the host. This is + traditionally done from the firmware setup, but some OSes also + offers ways disable HT. In some cases it may be disabled by + default, but please verify as the effectiveness of the + mitigation depends on it. + </para> + + <para> + The default action taken by VirtualBox is to flush the level 1 + data cache when a thread is scheduled to execute guest code, + rather than on each VM entry. This reduces the performance + impact, while making the assumption that the host OS will not + handle security sensitive data from interrupt handlers and + similar without taking precautions. + </para> + + <para> + A more aggressive flushing option is provided via the + <command>VBoxManage modifyvm</command> + <option>--l1d-flush-on-vm-entry</option> option. When enabled + the level 1 data cache will be flushed on every VM entry. The + performance impact is greater than with the default option, + though this of course depends on the workload. Workloads + producing a lot of VM exits (like networking, VGA access, and + similiar) will probably be most impacted. + </para> + + <para> + For users not concerned by this security issue, the default + mitigation can be disabled using the <command>VBoxManage + modifyvm name --l1d-flush-on-sched off</command> command. + </para> + + </sect3> + + </sect2> + + <sect2 id="sec-rec-cve-2018-12126-et-al"> + + <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title> + + <para> + These security issues affect a range of Intel CPUs starting with + Nehalem. The CVE-2018-12130 also affects some Atom Silvermont, + Atom Airmont, and Knights family CPUs, however the scope is so + limited that the host OS should deal with it and &product-name; + is therefore not affected. Leaks only happens when entering and + leaving C states. + </para> + + <para> + The following mitigation option is available. + </para> + + <sect3> + + <title>Buffer Overwriting and Disabling Hyper-Threading</title> + + <para> + First, up to date CPU microcode is a prerequisite for the + buffer overwriting (clearing) mitigations. Some host OSes may + install these automatically, though it has traditionally been + a task best performed by the system firmware. Please check + with your system or mainboard manufacturer for the latest + firmware update. + </para> + + <para> + This mitigation aims at removing potentially sensitive data + from the affected buffers before running guest code. Since + this means additional work each time the guest is scheduled, + there might be some performance side effects. + </para> + + <para> + We recommend disabling hyper-threading (HT) on hosts affected + by CVE-2018-12126 and CVE-2018-12127, because the affected + sets of buffers are normally shared between thread pairs and + therefore cause leaks between the threads. This is + traditionally done from the firmware setup, but some OSes also + offers ways disable HT. In some cases it may be disabled by + default, but please verify as the effectiveness of the + mitigation depends on it. + </para> + + <para> + The default action taken by &product-name; is to clear the + affected buffers when a thread is scheduled to execute guest + code, rather than on each VM entry. This reduces the + performance impact, while making the assumption that the host + OS will not handle security sensitive data from interrupt + handlers and similar without taking precautions. + </para> + + <para> + The <command>VBoxManage modifyvm</command> command provides a + more aggressive flushing option is provided by means of the + <option>--mds-clear-on-vm-entry</option> option. When enabled + the affected buffers will be cleared on every VM entry. The + performance impact is greater than with the default option, + though this of course depends on the workload. Workloads + producing a lot of VM exits (like networking, VGA access, and + similiar) will probably be most impacted. + </para> + + <para> + For users not concerned by this security issue, the default + mitigation can be disabled using the <command>VBoxManage + modifyvm name --mds-clear-on-sched off</command> command. + </para> + + </sect3> + + </sect2> + + </sect1> + +</chapter> |