VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 97706

Last change on this file since 97706 was 96407, checked in by vboxsync, 2 years ago

scm copyright and license note update
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 27.2 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!--
3 Copyright (C) 2006-2022 Oracle and/or its affiliates.
4
5 This file is part of VirtualBox base platform packages, as
6 available from https://www.virtualbox.org.
7
8 This program is free software; you can redistribute it and/or
9 modify it under the terms of the GNU General Public License
10 as published by the Free Software Foundation, in version 3 of the
11 License.
12
13 This program is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, see <https://www.gnu.org/licenses>.
20
21 SPDX-License-Identifier: GPL-3.0-only
22-->
23<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
24"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
25<!ENTITY % all.entities SYSTEM "all-entities.ent">
26%all.entities;
27]>
28<chapter id="Security">
29
30 <title>Security Guide</title>
31
32 <sect1 id="security-general">
33
34 <title>General Security Principles</title>
35
36 <para>
37 The following principles are fundamental to using any application
38 securely.
39 </para>
40
41 <itemizedlist>
42
43 <listitem>
44 <para>
45 <emphasis role="bold">Keep software up to date</emphasis>. One
46 of the principles of good security practise is to keep all
47 software versions and patches up to date. Activate the
48 &product-name; update notification to get notified when a new
49 &product-name; release is available. When updating
50 &product-name;, do not forget to update the Guest Additions.
51 Keep the host operating system as well as the guest operating
52 system up to date.
53 </para>
54 </listitem>
55
56 <listitem>
57 <para>
58 <emphasis role="bold">Restrict network access to critical
59 services.</emphasis> Use proper means, for instance a
60 firewall, to protect your computer and your guests from
61 accesses from the outside. Choosing the proper networking mode
62 for VMs helps to separate host networking from the guest and
63 vice versa.
64 </para>
65 </listitem>
66
67 <listitem>
68 <para>
69 <emphasis role="bold">Follow the principle of least
70 privilege.</emphasis> The principle of least privilege states
71 that users should be given the least amount of privilege
72 necessary to perform their jobs. Always execute &product-name;
73 as a regular user. We strongly discourage anyone from
74 executing &product-name; with system privileges.
75 </para>
76
77 <para>
78 Choose restrictive permissions when creating configuration
79 files, for instance when creating /etc/default/virtualbox, see
80 <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
81 </para>
82 </listitem>
83
84 <listitem>
85 <para>
86 <emphasis role="bold">Monitor system activity.</emphasis>
87 System security builds on three pillars: good security
88 protocols, proper system configuration and system monitoring.
89 Auditing and reviewing audit records address the third
90 requirement. Each component within a system has some degree of
91 monitoring capability. Follow audit advice in this document
92 and regularly monitor audit records.
93 </para>
94 </listitem>
95
96 <listitem>
97 <para>
98 <emphasis role="bold">Keep up to date on latest security
99 information.</emphasis> Oracle continually improves its
100 software and documentation. Check this note yearly for
101 revisions.
102 </para>
103 </listitem>
104
105 </itemizedlist>
106
107 </sect1>
108
109 <sect1 id="security-secure-install">
110
111 <title>Secure Installation and Configuration</title>
112
113 <sect2 id="security-secure-install-overview">
114
115 <title>Installation Overview</title>
116
117 <para>
118 The &product-name; base package should be downloaded only from a
119 trusted source, for instance the official website
120 <ulink url="http://www.virtualbox.org" />. The integrity of the
121 package should be verified with the provided SHA256 checksum
122 which can be found on the official website.
123 </para>
124
125 <para>
126 General &product-name; installation instructions for the
127 supported hosts can be found in <xref linkend="installation"/>.
128 </para>
129
130 <para>
131 On Windows hosts, the installer can be used to disable USB
132 support, support for bridged networking, support for host-only
133 networking and the Python language binding. See
134 <xref linkend="installation_windows"/>. All these features are
135 enabled by default but disabling some of them could be
136 appropriate if the corresponding functionality is not required
137 by any virtual machine. The Python language bindings are only
138 required if the &product-name; API is to be used by external
139 Python applications. In particular USB support and support for
140 the two networking modes require the installation of Windows
141 kernel drivers on the host. Therefore disabling those selected
142 features can not only be used to restrict the user to certain
143 functionality but also to minimize the surface provided to a
144 potential attacker.
145 </para>
146
147 <para>
148 The general case is to install the complete &product-name;
149 package. The installation must be done with system privileges.
150 All &product-name; binaries should be executed as a regular user
151 and never as a privileged user.
152 </para>
153
154 <para>
155 The &product-name; Extension Pack provides additional features
156 and must be downloaded and installed separately, see
157 <xref linkend="intro-installing"/>. As for the base package, the
158 SHA256 checksum of the extension pack should be verified. As the
159 installation requires system privileges, &product-name; will ask
160 for the system password during the installation of the extension
161 pack.
162 </para>
163
164 </sect2>
165
166 <sect2 id="security-secure-install-postinstall">
167
168 <title>Post Installation Configuration</title>
169
170 <para>
171 Normally there is no post installation configuration of
172 &product-name; components required. However, on Oracle Solaris
173 and Linux hosts it is necessary to configure the proper
174 permissions for users executing VMs and who should be able to
175 access certain host resources. For instance, Linux users must be
176 member of the <emphasis>vboxusers</emphasis> group to be able to
177 pass USB devices to a guest. If a serial host interface should
178 be accessed from a VM, the proper permissions must be granted to
179 the user to be able to access that device. The same applies to
180 other resources like raw partitions, DVD/CD drives, and sound
181 devices.
182 </para>
183
184 </sect2>
185
186 </sect1>
187
188 <sect1 id="security-features">
189
190 <title>Security Features</title>
191
192 <para>
193 This section outlines the specific security mechanisms offered by
194 &product-name;.
195 </para>
196
197 <sect2 id="security-model">
198
199 <title>The Security Model</title>
200
201 <para>
202 One property of virtual machine monitors (VMMs) like
203 &product-name; is to encapsulate a guest by executing it in a
204 protected environment, a virtual machine, running as a user
205 process on the host operating system. The guest cannot
206 communicate directly with the hardware or other computers but
207 only through the VMM. The VMM provides emulated physical
208 resources and devices to the guest which are accessed by the
209 guest operating system to perform the required tasks. The VM
210 settings control the resources provided to the guest, for
211 example the amount of guest memory or the number of guest
212 processors and the enabled features for that guest. For example
213 remote control, certain screen settings and others. See
214 <xref linkend="generalsettings"/>.
215 </para>
216
217 </sect2>
218
219 <sect2 id="secure-config-vms">
220
221 <title>Secure Configuration of Virtual Machines</title>
222
223 <para>
224 Several aspects of a virtual machine configuration are subject
225 to security considerations.
226 </para>
227
228 <sect3 id="security-networking">
229
230 <title>Networking</title>
231
232 <para>
233 The default networking mode for VMs is NAT which means that
234 the VM acts like a computer behind a router, see
235 <xref linkend="network_nat"/>. The guest is part of a private
236 subnet belonging to this VM and the guest IP is not visible
237 from the outside. This networking mode works without any
238 additional setup and is sufficient for many purposes. Keep in
239 mind that NAT allows access to the host operating system's
240 loopback interface.
241 </para>
242
243 <para>
244 If bridged networking is used, the VM acts like a computer
245 inside the same network as the host, see
246 <xref linkend="network_bridged"/>. In this case, the guest has
247 the same network access as the host and a firewall might be
248 necessary to protect other computers on the subnet from a
249 potential malicious guest as well as to protect the guest from
250 a direct access from other computers. In some cases it is
251 worth considering using a forwarding rule for a specific port
252 in NAT mode instead of using bridged networking.
253 </para>
254
255 <para>
256 Some setups do not require a VM to be connected to the public
257 network at all. Internal networking, see
258 <xref linkend="network_internal"/>, or host-only networking,
259 see <xref linkend="network_hostonly"/>, are often sufficient
260 to connect VMs among each other or to connect VMs only with
261 the host but not with the public network.
262 </para>
263
264 </sect3>
265
266 <sect3 id="security-vrdp-auth">
267
268 <title>VRDP Remote Desktop Authentication</title>
269
270 <para>
271 When using the &product-name; Extension Pack provided by
272 Oracle for VRDP remote desktop support, you can optionally use
273 various methods to configure RDP authentication. The "null"
274 method is very insecure and should be avoided in a public
275 network. See <xref linkend="vbox-auth" />.
276 </para>
277
278 </sect3>
279
280 <sect3 id="security_clipboard">
281
282 <title>Clipboard</title>
283
284 <para>
285 The shared clipboard enables users to share data between the
286 host and the guest. Enabling the clipboard in Bidirectional
287 mode enables the guest to read and write the host clipboard.
288 The Host to Guest mode and the Guest to Host mode limit the
289 access to one direction. If the guest is able to access the
290 host clipboard it can also potentially access sensitive data
291 from the host which is shared over the clipboard.
292 </para>
293
294 <para>
295 If the guest is able to read from and/or write to the host
296 clipboard then a remote user connecting to the guest over the
297 network will also gain this ability, which may not be
298 desirable. As a consequence, the shared clipboard is disabled
299 for new machines.
300 </para>
301
302 </sect3>
303
304 <sect3 id="security-shared-folders">
305
306 <title>Shared Folders</title>
307
308 <para>
309 If any host folder is shared with the guest then a remote user
310 connected to the guest over the network can access these files
311 too as the folder sharing mechanism cannot be selectively
312 disabled for remote users.
313 </para>
314
315 </sect3>
316
317 <sect3 id="security-3d-graphics">
318
319 <title>3D Graphics Acceleration</title>
320
321 <para>
322 Enabling 3D graphics using the Guest Additions exposes the
323 host to additional security risks. See
324 <xref
325 linkend="guestadd-3d" />.
326 </para>
327
328 </sect3>
329
330 <sect3 id="security-cd-dvd-passthrough">
331
332 <title>CD/DVD Passthrough</title>
333
334 <para>
335 Enabling CD/DVD passthrough enables the guest to perform
336 advanced operations on the CD/DVD drive, see
337 <xref linkend="storage-cds"/>. This could induce a security
338 risk as a guest could overwrite data on a CD/DVD medium.
339 </para>
340
341 </sect3>
342
343 <sect3 id="security-usb-passthrough">
344
345 <title>USB Passthrough</title>
346
347 <para>
348 Passing USB devices to the guest provides the guest full
349 access to these devices, see <xref linkend="settings-usb"/>.
350 For instance, in addition to reading and writing the content
351 of the partitions of an external USB disk the guest will be
352 also able to read and write the partition table and hardware
353 data of that disk.
354 </para>
355
356 </sect3>
357
358 </sect2>
359
360 <sect2 id="auth-config-using">
361
362 <title>Configuring and Using Authentication</title>
363
364 <para>
365 The following components of &product-name; can use passwords for
366 authentication:
367 </para>
368
369 <itemizedlist>
370
371 <listitem>
372 <para>
373 When using remote iSCSI storage and the storage server
374 requires authentication, an initiator secret can optionally
375 be supplied with the <command>VBoxManage
376 storageattach</command> command. As long as no settings
377 password is provided, by using the command line option
378 <option>--settingspwfile</option>, then this secret is
379 stored <emphasis>unencrypted</emphasis> in the machine
380 configuration and is therefore potentially readable on the
381 host. See <xref linkend="storage-iscsi" /> and
382 <xref linkend="vboxmanage-storageattach" />.
383 </para>
384 </listitem>
385
386 <listitem>
387 <para>
388 When using the &product-name; web service to control an
389 &product-name; host remotely, connections to the web service
390 are authenticated in various ways. This is described in
391 detail in the &product-name; Software Development Kit (SDK)
392 reference. See <xref linkend="VirtualBoxAPI" />.
393 </para>
394 </listitem>
395
396 </itemizedlist>
397
398 </sect2>
399
400<!--
401 <sect2 id="access-control-config-using">
402 <title>Configuring and Using Access Control</title>
403 </sect2>
404
405 <sect2 id="security-audit-config-using">
406 <title>Configuring and Using Security Audit</title>
407 </sect2>
408
409 <sect2 id="security-other-features-config-using">
410 <title>Configuring and Using Other Security Features</title>
411 </sect2>
412 -->
413
414 <sect2 id="pot-insecure">
415
416 <title>Potentially Insecure Operations</title>
417
418 <para>
419 The following features of &product-name; can present security
420 problems:
421 </para>
422
423 <itemizedlist>
424
425 <listitem>
426 <para>
427 Enabling 3D graphics using the Guest Additions exposes the
428 host to additional security risks. See
429 <xref
430 linkend="guestadd-3d" />.
431 </para>
432 </listitem>
433
434 <listitem>
435 <para>
436 When teleporting a machine, the data stream through which
437 the machine's memory contents are transferred from one host
438 to another is not encrypted. A third party with access to
439 the network through which the data is transferred could
440 therefore intercept that data. An SSH tunnel could be used
441 to secure the connection between the two hosts. But when
442 considering teleporting a VM over an untrusted network the
443 first question to answer is how both VMs can securely access
444 the same virtual disk image with a reasonable performance.
445 </para>
446 </listitem>
447
448 <listitem>
449 <para>
450 When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
451 is enabled, it is possible that a side-channel opens up that
452 enables a malicious guest to determine the address space of
453 another VM running on the same host layout. For example,
454 where DLLs are typically loaded. This information leak in
455 itself is harmless, however the malicious guest may use it
456 to optimize attack against that VM through unrelated attack
457 vectors. It is recommended to only enable Page Fusion if you
458 do not think this is a concern in your setup.
459 </para>
460 </listitem>
461
462 <listitem>
463 <para>
464 When using the &product-name; web service to control an
465 &product-name; host remotely, connections to the web
466 service, over which the API calls are transferred using SOAP
467 XML, are not encrypted. They use plain HTTP by default. This
468 is a potential security risk. For details about the web
469 service, see <xref linkend="VirtualBoxAPI" />.
470 </para>
471
472 <para>
473 The web services are not started by default. See
474 <xref linkend="vboxwebsrv-daemon"/> to find out how to start
475 this service and how to enable SSL/TLS support. It has to be
476 started as a regular user and only the VMs of that user can
477 be controlled. By default, the service binds to localhost
478 preventing any remote connection.
479 </para>
480 </listitem>
481
482 <listitem>
483 <para>
484 Traffic sent over a UDP Tunnel network attachment is not
485 encrypted. You can either encrypt it on the host network
486 level, with IPsec, or use encrypted protocols in the guest
487 network, such as SSH. The security properties are similar to
488 bridged Ethernet.
489 </para>
490 </listitem>
491
492 <listitem>
493 <para>
494 Because of shortcomings in older Windows versions, using
495 &product-name; on Windows versions older than Vista with
496 Service Pack 1 is not recommended.
497 </para>
498 </listitem>
499
500 </itemizedlist>
501
502 </sect2>
503
504 <sect2 id="security-encryption">
505
506 <title>Encryption</title>
507
508 <para>
509 The following components of &product-name; use encryption to
510 protect sensitive data:
511 </para>
512
513 <itemizedlist>
514
515 <listitem>
516 <para>
517 When using the &product-name; Extension Pack provided by
518 Oracle for VRDP remote desktop support, RDP data can
519 optionally be encrypted. See <xref linkend="vrde-crypt" />.
520 Only the Enhanced RDP Security method (RDP5.2) with TLS
521 protocol provides a secure connection. Standard RDP Security
522 (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
523 attack.
524 </para>
525 </listitem>
526
527 <listitem>
528 <para>
529 When using the &product-name; Extension Pack provided by
530 Oracle for disk encryption, the data stored in disk images
531 can optionally be encrypted. See
532 <xref linkend="diskencryption" />. This feature covers disk
533 image content only. All other data for a virtual machine is
534 stored unencrypted, including the VM's memory and device
535 state which is stored as part of a saved state, both when
536 created explicitly or part of a snapshot of a running VM.
537 </para>
538 </listitem>
539
540 </itemizedlist>
541
542 </sect2>
543
544 </sect1>
545
546<!--
547 <sect1 id="security-devel">
548 <title>Security Considerations for Developers</title>
549 </sect1>
550 -->
551
552 <sect1 id="security-recommendations">
553
554 <title>Security Recommendations</title>
555
556 <para>
557 This section contains security recommendations for specific
558 issues. By default VirtualBox will configure the VMs to run in a
559 secure manner, however this may not always be possible without
560 additional user actions such as host OS or firmware configuration
561 changes.
562 </para>
563
564 <sect2 id="sec-rec-cve-2018-3646">
565
566 <title>CVE-2018-3646</title>
567
568 <para>
569 This security issue affect a range of Intel CPUs with nested
570 paging. AMD CPUs are expected not to be impacted (pending direct
571 confirmation by AMD). Also the issue does not affect VMs running
572 with hardware virtualization disabled or with nested paging
573 disabled.
574 </para>
575
576 <para>
577 For more information about nested paging, see
578 <xref linkend="nestedpaging" />.
579 </para>
580
581 <para>
582 The following mitigation options are available.
583 </para>
584
585 <sect3>
586
587 <title>Disable Nested Paging</title>
588
589 <para>
590 By disabling nested paging (EPT), the VMM will construct page
591 tables shadowing the ones in the guest. It is no possible for
592 the guest to insert anything fishy into the page tables, since
593 the VMM carefully validates each entry before shadowing it.
594 </para>
595
596 <para>
597 As a side effect of disabling nested paging, several CPU
598 features will not be made available to the guest. Among these
599 features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
600 guests may be able to cope with dropping these features after
601 installation. Also, for some guests, especially in SMP
602 configurations, there could be stability issues arising from
603 disabling nested paging. Finally, some workloads may
604 experience a performance degradation.
605 </para>
606
607 </sect3>
608
609 <sect3>
610
611 <title>Flushing the Level 1 Data Cache</title>
612
613 <para>
614 This aims at removing potentially sensitive data from the
615 level 1 data cache when running guest code. However, it is
616 made difficult by hyper-threading setups sharing the level 1
617 cache and thereby potentially letting the other thread in a
618 pair refill the cache with data the user does not want the
619 guest to see. In addition, flushing the level 1 data cache is
620 usually not without performance side effects.
621 </para>
622
623 <para>
624 Up to date CPU microcode is a prerequisite for the cache
625 flushing mitigations. Some host OSes may install these
626 automatically, though it has traditionally been a task best
627 performed by the system firmware. So, please check with your
628 system / mainboard manufacturer for the latest firmware
629 update.
630 </para>
631
632 <para>
633 We recommend disabling hyper threading on the host. This is
634 traditionally done from the firmware setup, but some OSes also
635 offers ways disable HT. In some cases it may be disabled by
636 default, but please verify as the effectiveness of the
637 mitigation depends on it.
638 </para>
639
640 <para>
641 The default action taken by VirtualBox is to flush the level 1
642 data cache when a thread is scheduled to execute guest code,
643 rather than on each VM entry. This reduces the performance
644 impact, while making the assumption that the host OS will not
645 handle security sensitive data from interrupt handlers and
646 similar without taking precautions.
647 </para>
648
649 <para>
650 A more aggressive flushing option is provided via the
651 <command>VBoxManage modifyvm</command>
652 <option>--l1d-flush-on-vm-entry</option> option. When enabled
653 the level 1 data cache will be flushed on every VM entry. The
654 performance impact is greater than with the default option,
655 though this of course depends on the workload. Workloads
656 producing a lot of VM exits (like networking, VGA access, and
657 similiar) will probably be most impacted.
658 </para>
659
660 <para>
661 For users not concerned by this security issue, the default
662 mitigation can be disabled using the <command>VBoxManage
663 modifyvm name --l1d-flush-on-sched off</command> command.
664 </para>
665
666 </sect3>
667
668 </sect2>
669
670 <sect2 id="sec-rec-cve-2018-12126-et-al">
671
672 <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>
673
674 <para>
675 These security issues affect a range of Intel CPUs starting with
676 Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
677 Atom Airmont, and Knights family CPUs, however the scope is so
678 limited that the host OS should deal with it and &product-name;
679 is therefore not affected. Leaks only happens when entering and
680 leaving C states.
681 </para>
682
683 <para>
684 The following mitigation option is available.
685 </para>
686
687 <sect3>
688
689 <title>Buffer Overwriting and Disabling Hyper-Threading</title>
690
691 <para>
692 First, up to date CPU microcode is a prerequisite for the
693 buffer overwriting (clearing) mitigations. Some host OSes may
694 install these automatically, though it has traditionally been
695 a task best performed by the system firmware. Please check
696 with your system or mainboard manufacturer for the latest
697 firmware update.
698 </para>
699
700 <para>
701 This mitigation aims at removing potentially sensitive data
702 from the affected buffers before running guest code. Since
703 this means additional work each time the guest is scheduled,
704 there might be some performance side effects.
705 </para>
706
707 <para>
708 We recommend disabling hyper-threading (HT) on hosts affected
709 by CVE-2018-12126 and CVE-2018-12127, because the affected
710 sets of buffers are normally shared between thread pairs and
711 therefore cause leaks between the threads. This is
712 traditionally done from the firmware setup, but some OSes also
713 offers ways disable HT. In some cases it may be disabled by
714 default, but please verify as the effectiveness of the
715 mitigation depends on it.
716 </para>
717
718 <para>
719 The default action taken by &product-name; is to clear the
720 affected buffers when a thread is scheduled to execute guest
721 code, rather than on each VM entry. This reduces the
722 performance impact, while making the assumption that the host
723 OS will not handle security sensitive data from interrupt
724 handlers and similar without taking precautions.
725 </para>
726
727 <para>
728 The <command>VBoxManage modifyvm</command> command provides a
729 more aggressive flushing option is provided by means of the
730 <option>--mds-clear-on-vm-entry</option> option. When enabled
731 the affected buffers will be cleared on every VM entry. The
732 performance impact is greater than with the default option,
733 though this of course depends on the workload. Workloads
734 producing a lot of VM exits (like networking, VGA access, and
735 similiar) will probably be most impacted.
736 </para>
737
738 <para>
739 For users not concerned by this security issue, the default
740 mitigation can be disabled using the <command>VBoxManage
741 modifyvm name --mds-clear-on-sched off</command> command.
742 </para>
743
744 </sect3>
745
746 </sect2>
747
748 </sect1>
749
750</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette