1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
|
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (C) 2006-2022 Oracle and/or its affiliates.
This file is part of VirtualBox base platform packages, as
available from https://www.virtualbox.org.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, in version 3 of the
License.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, see <https://www.gnu.org/licenses>.
SPDX-License-Identifier: GPL-3.0-only
-->
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
<!ENTITY % all.entities SYSTEM "all-entities.ent">
%all.entities;
]>
<chapter id="Security">
<title>Security Guide</title>
<sect1 id="security-general">
<title>General Security Principles</title>
<para>
The following principles are fundamental to using any application
securely.
</para>
<itemizedlist>
<listitem>
<para>
<emphasis role="bold">Keep software up to date</emphasis>. One
of the principles of good security practise is to keep all
software versions and patches up to date. Activate the
&product-name; update notification to get notified when a new
&product-name; release is available. When updating
&product-name;, do not forget to update the Guest Additions.
Keep the host operating system as well as the guest operating
system up to date.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Restrict network access to critical
services.</emphasis> Use proper means, for instance a
firewall, to protect your computer and your guests from
accesses from the outside. Choosing the proper networking mode
for VMs helps to separate host networking from the guest and
vice versa.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Follow the principle of least
privilege.</emphasis> The principle of least privilege states
that users should be given the least amount of privilege
necessary to perform their jobs. Always execute &product-name;
as a regular user. We strongly discourage anyone from
executing &product-name; with system privileges.
</para>
<para>
Choose restrictive permissions when creating configuration
files, for instance when creating /etc/default/virtualbox, see
<xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Monitor system activity.</emphasis>
System security builds on three pillars: good security
protocols, proper system configuration and system monitoring.
Auditing and reviewing audit records address the third
requirement. Each component within a system has some degree of
monitoring capability. Follow audit advice in this document
and regularly monitor audit records.
</para>
</listitem>
<listitem>
<para>
<emphasis role="bold">Keep up to date on latest security
information.</emphasis> Oracle continually improves its
software and documentation. Check this note yearly for
revisions.
</para>
</listitem>
</itemizedlist>
</sect1>
<sect1 id="security-secure-install">
<title>Secure Installation and Configuration</title>
<sect2 id="security-secure-install-overview">
<title>Installation Overview</title>
<para>
The &product-name; base package should be downloaded only from a
trusted source, for instance the official website
<ulink url="http://www.virtualbox.org" />. The integrity of the
package should be verified with the provided SHA256 checksum
which can be found on the official website.
</para>
<para>
General &product-name; installation instructions for the
supported hosts can be found in <xref linkend="installation"/>.
</para>
<para>
On Windows hosts, the installer can be used to disable USB
support, support for bridged networking, support for host-only
networking and the Python language binding. See
<xref linkend="installation_windows"/>. All these features are
enabled by default but disabling some of them could be
appropriate if the corresponding functionality is not required
by any virtual machine. The Python language bindings are only
required if the &product-name; API is to be used by external
Python applications. In particular USB support and support for
the two networking modes require the installation of Windows
kernel drivers on the host. Therefore disabling those selected
features can not only be used to restrict the user to certain
functionality but also to minimize the surface provided to a
potential attacker.
</para>
<para>
The general case is to install the complete &product-name;
package. The installation must be done with system privileges.
All &product-name; binaries should be executed as a regular user
and never as a privileged user.
</para>
<para>
The &product-name; Extension Pack provides additional features
and must be downloaded and installed separately, see
<xref linkend="intro-installing"/>. As for the base package, the
SHA256 checksum of the extension pack should be verified. As the
installation requires system privileges, &product-name; will ask
for the system password during the installation of the extension
pack.
</para>
</sect2>
<sect2 id="security-secure-install-postinstall">
<title>Post Installation Configuration</title>
<para>
Normally there is no post installation configuration of
&product-name; components required. However, on Oracle Solaris
and Linux hosts it is necessary to configure the proper
permissions for users executing VMs and who should be able to
access certain host resources. For instance, Linux users must be
member of the <emphasis>vboxusers</emphasis> group to be able to
pass USB devices to a guest. If a serial host interface should
be accessed from a VM, the proper permissions must be granted to
the user to be able to access that device. The same applies to
other resources like raw partitions, DVD/CD drives, and sound
devices.
</para>
</sect2>
</sect1>
<sect1 id="security-features">
<title>Security Features</title>
<para>
This section outlines the specific security mechanisms offered by
&product-name;.
</para>
<sect2 id="security-model">
<title>The Security Model</title>
<para>
One property of virtual machine monitors (VMMs) like
&product-name; is to encapsulate a guest by executing it in a
protected environment, a virtual machine, running as a user
process on the host operating system. The guest cannot
communicate directly with the hardware or other computers but
only through the VMM. The VMM provides emulated physical
resources and devices to the guest which are accessed by the
guest operating system to perform the required tasks. The VM
settings control the resources provided to the guest, for
example the amount of guest memory or the number of guest
processors and the enabled features for that guest. For example
remote control, certain screen settings and others. See
<xref linkend="generalsettings"/>.
</para>
</sect2>
<sect2 id="secure-config-vms">
<title>Secure Configuration of Virtual Machines</title>
<para>
Several aspects of a virtual machine configuration are subject
to security considerations.
</para>
<sect3 id="security-networking">
<title>Networking</title>
<para>
The default networking mode for VMs is NAT which means that
the VM acts like a computer behind a router, see
<xref linkend="network_nat"/>. The guest is part of a private
subnet belonging to this VM and the guest IP is not visible
from the outside. This networking mode works without any
additional setup and is sufficient for many purposes. Keep in
mind that NAT allows access to the host operating system's
loopback interface.
</para>
<para>
If bridged networking is used, the VM acts like a computer
inside the same network as the host, see
<xref linkend="network_bridged"/>. In this case, the guest has
the same network access as the host and a firewall might be
necessary to protect other computers on the subnet from a
potential malicious guest as well as to protect the guest from
a direct access from other computers. In some cases it is
worth considering using a forwarding rule for a specific port
in NAT mode instead of using bridged networking.
</para>
<para>
Some setups do not require a VM to be connected to the public
network at all. Internal networking, see
<xref linkend="network_internal"/>, or host-only networking,
see <xref linkend="network_hostonly"/>, are often sufficient
to connect VMs among each other or to connect VMs only with
the host but not with the public network.
</para>
</sect3>
<sect3 id="security-vrdp-auth">
<title>VRDP Remote Desktop Authentication</title>
<para>
When using the &product-name; Extension Pack provided by
Oracle for VRDP remote desktop support, you can optionally use
various methods to configure RDP authentication. The "null"
method is very insecure and should be avoided in a public
network. See <xref linkend="vbox-auth" />.
</para>
</sect3>
<sect3 id="security_clipboard">
<title>Clipboard</title>
<para>
The shared clipboard enables users to share data between the
host and the guest. Enabling the clipboard in Bidirectional
mode enables the guest to read and write the host clipboard.
The Host to Guest mode and the Guest to Host mode limit the
access to one direction. If the guest is able to access the
host clipboard it can also potentially access sensitive data
from the host which is shared over the clipboard.
</para>
<para>
If the guest is able to read from and/or write to the host
clipboard then a remote user connecting to the guest over the
network will also gain this ability, which may not be
desirable. As a consequence, the shared clipboard is disabled
for new machines.
</para>
</sect3>
<sect3 id="security-shared-folders">
<title>Shared Folders</title>
<para>
If any host folder is shared with the guest then a remote user
connected to the guest over the network can access these files
too as the folder sharing mechanism cannot be selectively
disabled for remote users.
</para>
</sect3>
<sect3 id="security-3d-graphics">
<title>3D Graphics Acceleration</title>
<para>
Enabling 3D graphics using the Guest Additions exposes the
host to additional security risks. See
<xref
linkend="guestadd-3d" />.
</para>
</sect3>
<sect3 id="security-cd-dvd-passthrough">
<title>CD/DVD Passthrough</title>
<para>
Enabling CD/DVD passthrough enables the guest to perform
advanced operations on the CD/DVD drive, see
<xref linkend="storage-cds"/>. This could induce a security
risk as a guest could overwrite data on a CD/DVD medium.
</para>
</sect3>
<sect3 id="security-usb-passthrough">
<title>USB Passthrough</title>
<para>
Passing USB devices to the guest provides the guest full
access to these devices, see <xref linkend="settings-usb"/>.
For instance, in addition to reading and writing the content
of the partitions of an external USB disk the guest will be
also able to read and write the partition table and hardware
data of that disk.
</para>
</sect3>
</sect2>
<sect2 id="auth-config-using">
<title>Configuring and Using Authentication</title>
<para>
The following components of &product-name; can use passwords for
authentication:
</para>
<itemizedlist>
<listitem>
<para>
When using remote iSCSI storage and the storage server
requires authentication, an initiator secret can optionally
be supplied with the <command>VBoxManage
storageattach</command> command. As long as no settings
password is provided, by using the command line option
<option>--settingspwfile</option>, then this secret is
stored <emphasis>unencrypted</emphasis> in the machine
configuration and is therefore potentially readable on the
host. See <xref linkend="storage-iscsi" /> and
<xref linkend="vboxmanage-storageattach" />.
</para>
</listitem>
<listitem>
<para>
When using the &product-name; web service to control an
&product-name; host remotely, connections to the web service
are authenticated in various ways. This is described in
detail in the &product-name; Software Development Kit (SDK)
reference. See <xref linkend="VirtualBoxAPI" />.
</para>
</listitem>
</itemizedlist>
</sect2>
<!--
<sect2 id="access-control-config-using">
<title>Configuring and Using Access Control</title>
</sect2>
<sect2 id="security-audit-config-using">
<title>Configuring and Using Security Audit</title>
</sect2>
<sect2 id="security-other-features-config-using">
<title>Configuring and Using Other Security Features</title>
</sect2>
-->
<sect2 id="pot-insecure">
<title>Potentially Insecure Operations</title>
<para>
The following features of &product-name; can present security
problems:
</para>
<itemizedlist>
<listitem>
<para>
Enabling 3D graphics using the Guest Additions exposes the
host to additional security risks. See
<xref
linkend="guestadd-3d" />.
</para>
</listitem>
<listitem>
<para>
When teleporting a machine, the data stream through which
the machine's memory contents are transferred from one host
to another is not encrypted. A third party with access to
the network through which the data is transferred could
therefore intercept that data. An SSH tunnel could be used
to secure the connection between the two hosts. But when
considering teleporting a VM over an untrusted network the
first question to answer is how both VMs can securely access
the same virtual disk image with a reasonable performance.
</para><para>
If the network is not sufficiently trusted, the password
should be changed for each teleportation as the a 3rd party
could snoop up the unecrypted password hash when it is
transferred between the target and source host machines.
</para>
</listitem>
<listitem>
<para>
When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
is enabled, it is possible that a side-channel opens up that
enables a malicious guest to determine the address space of
another VM running on the same host layout. For example,
where DLLs are typically loaded. This information leak in
itself is harmless, however the malicious guest may use it
to optimize attack against that VM through unrelated attack
vectors. It is recommended to only enable Page Fusion if you
do not think this is a concern in your setup.
</para>
</listitem>
<listitem>
<para>
When using the &product-name; web service to control an
&product-name; host remotely, connections to the web
service, over which the API calls are transferred using SOAP
XML, are not encrypted. They use plain HTTP by default. This
is a potential security risk. For details about the web
service, see <xref linkend="VirtualBoxAPI" />.
</para>
<para>
The web services are not started by default. See
<xref linkend="vboxwebsrv-daemon"/> to find out how to start
this service and how to enable SSL/TLS support. It has to be
started as a regular user and only the VMs of that user can
be controlled. By default, the service binds to localhost
preventing any remote connection.
</para>
</listitem>
<listitem>
<para>
Traffic sent over a UDP Tunnel network attachment is not
encrypted. You can either encrypt it on the host network
level, with IPsec, or use encrypted protocols in the guest
network, such as SSH. The security properties are similar to
bridged Ethernet.
</para>
</listitem>
<listitem>
<para>
Because of shortcomings in older Windows versions, using
&product-name; on Windows versions older than Vista with
Service Pack 1 is not recommended.
</para>
</listitem>
</itemizedlist>
</sect2>
<sect2 id="security-encryption">
<title>Encryption</title>
<para>
The following components of &product-name; use encryption to
protect sensitive data:
</para>
<itemizedlist>
<listitem>
<para>
When using the &product-name; Extension Pack provided by
Oracle for VRDP remote desktop support, RDP data can
optionally be encrypted. See <xref linkend="vrde-crypt" />.
Only the Enhanced RDP Security method (RDP5.2) with TLS
protocol provides a secure connection. Standard RDP Security
(RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
attack.
</para>
</listitem>
<listitem>
<para>
When using the &product-name; Extension Pack provided by
Oracle for disk encryption, the data stored in disk images
can optionally be encrypted. See
<xref linkend="diskencryption" />. This feature covers disk
image content only. All other data for a virtual machine is
stored unencrypted, including the VM's memory and device
state which is stored as part of a saved state, both when
created explicitly or part of a snapshot of a running VM.
</para>
</listitem>
</itemizedlist>
</sect2>
</sect1>
<!--
<sect1 id="security-devel">
<title>Security Considerations for Developers</title>
</sect1>
-->
<sect1 id="security-recommendations">
<title>Security Recommendations</title>
<para>
This section contains security recommendations for specific
issues. By default VirtualBox will configure the VMs to run in a
secure manner, however this may not always be possible without
additional user actions such as host OS or firmware configuration
changes.
</para>
<sect2 id="sec-rec-cve-2018-3646">
<title>CVE-2018-3646</title>
<para>
This security issue affect a range of Intel CPUs with nested
paging. AMD CPUs are expected not to be impacted (pending direct
confirmation by AMD). Also the issue does not affect VMs running
with hardware virtualization disabled or with nested paging
disabled.
</para>
<para>
For more information about nested paging, see
<xref linkend="nestedpaging" />.
</para>
<para>
The following mitigation options are available.
</para>
<sect3>
<title>Disable Nested Paging</title>
<para>
By disabling nested paging (EPT), the VMM will construct page
tables shadowing the ones in the guest. It is no possible for
the guest to insert anything fishy into the page tables, since
the VMM carefully validates each entry before shadowing it.
</para>
<para>
As a side effect of disabling nested paging, several CPU
features will not be made available to the guest. Among these
features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
guests may be able to cope with dropping these features after
installation. Also, for some guests, especially in SMP
configurations, there could be stability issues arising from
disabling nested paging. Finally, some workloads may
experience a performance degradation.
</para>
</sect3>
<sect3>
<title>Flushing the Level 1 Data Cache</title>
<para>
This aims at removing potentially sensitive data from the
level 1 data cache when running guest code. However, it is
made difficult by hyper-threading setups sharing the level 1
cache and thereby potentially letting the other thread in a
pair refill the cache with data the user does not want the
guest to see. In addition, flushing the level 1 data cache is
usually not without performance side effects.
</para>
<para>
Up to date CPU microcode is a prerequisite for the cache
flushing mitigations. Some host OSes may install these
automatically, though it has traditionally been a task best
performed by the system firmware. So, please check with your
system / mainboard manufacturer for the latest firmware
update.
</para>
<para>
We recommend disabling hyper threading on the host. This is
traditionally done from the firmware setup, but some OSes also
offers ways disable HT. In some cases it may be disabled by
default, but please verify as the effectiveness of the
mitigation depends on it.
</para>
<para>
The default action taken by VirtualBox is to flush the level 1
data cache when a thread is scheduled to execute guest code,
rather than on each VM entry. This reduces the performance
impact, while making the assumption that the host OS will not
handle security sensitive data from interrupt handlers and
similar without taking precautions.
</para>
<para>
A more aggressive flushing option is provided via the
<command>VBoxManage modifyvm</command>
<option>--l1d-flush-on-vm-entry</option> option. When enabled
the level 1 data cache will be flushed on every VM entry. The
performance impact is greater than with the default option,
though this of course depends on the workload. Workloads
producing a lot of VM exits (like networking, VGA access, and
similiar) will probably be most impacted.
</para>
<para>
For users not concerned by this security issue, the default
mitigation can be disabled using the <command>VBoxManage
modifyvm name --l1d-flush-on-sched off</command> command.
</para>
</sect3>
</sect2>
<sect2 id="sec-rec-cve-2018-12126-et-al">
<title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>
<para>
These security issues affect a range of Intel CPUs starting with
Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
Atom Airmont, and Knights family CPUs, however the scope is so
limited that the host OS should deal with it and &product-name;
is therefore not affected. Leaks only happens when entering and
leaving C states.
</para>
<para>
The following mitigation option is available.
</para>
<sect3>
<title>Buffer Overwriting and Disabling Hyper-Threading</title>
<para>
First, up to date CPU microcode is a prerequisite for the
buffer overwriting (clearing) mitigations. Some host OSes may
install these automatically, though it has traditionally been
a task best performed by the system firmware. Please check
with your system or mainboard manufacturer for the latest
firmware update.
</para>
<para>
This mitigation aims at removing potentially sensitive data
from the affected buffers before running guest code. Since
this means additional work each time the guest is scheduled,
there might be some performance side effects.
</para>
<para>
We recommend disabling hyper-threading (HT) on hosts affected
by CVE-2018-12126 and CVE-2018-12127, because the affected
sets of buffers are normally shared between thread pairs and
therefore cause leaks between the threads. This is
traditionally done from the firmware setup, but some OSes also
offers ways disable HT. In some cases it may be disabled by
default, but please verify as the effectiveness of the
mitigation depends on it.
</para>
<para>
The default action taken by &product-name; is to clear the
affected buffers when a thread is scheduled to execute guest
code, rather than on each VM entry. This reduces the
performance impact, while making the assumption that the host
OS will not handle security sensitive data from interrupt
handlers and similar without taking precautions.
</para>
<para>
The <command>VBoxManage modifyvm</command> command provides a
more aggressive flushing option is provided by means of the
<option>--mds-clear-on-vm-entry</option> option. When enabled
the affected buffers will be cleared on every VM entry. The
performance impact is greater than with the default option,
though this of course depends on the workload. Workloads
producing a lot of VM exits (like networking, VGA access, and
similiar) will probably be most impacted.
</para>
<para>
For users not concerned by this security issue, the default
mitigation can be disabled using the <command>VBoxManage
modifyvm name --mds-clear-on-sched off</command> command.
</para>
</sect3>
</sect2>
</sect1>
</chapter>
|
