1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
---|
4 | <chapter id="Security">
|
---|
5 | <title>Security guide</title>
|
---|
6 |
|
---|
7 | <sect1>
|
---|
8 | <title>Overview</title>
|
---|
9 | <para>
|
---|
10 | </para>
|
---|
11 |
|
---|
12 | <sect2>
|
---|
13 | <title>General Security Principles</title>
|
---|
14 |
|
---|
15 | <para>The following principles are fundamental to using any application
|
---|
16 | securely.
|
---|
17 | <glosslist>
|
---|
18 | <glossentry>
|
---|
19 | <glossterm>Keep Software Up To Date</glossterm>
|
---|
20 | <glossdef>
|
---|
21 | <para>
|
---|
22 | One of the principles of good security practise is to keep all
|
---|
23 | software versions and patches up to date. Activate the VirtualBox
|
---|
24 | update notification to get notified when a new VirtualBox release
|
---|
25 | is available. When updating VirtualBox, do not forget to update
|
---|
26 | the Guest Additions. Keep the host operating system as well as the
|
---|
27 | guest operating system up to date.
|
---|
28 | </para>
|
---|
29 | </glossdef>
|
---|
30 | </glossentry>
|
---|
31 |
|
---|
32 | <glossentry>
|
---|
33 | <glossterm>Restrict Network Access to Critical Services</glossterm>
|
---|
34 | <glossdef>
|
---|
35 | <para>
|
---|
36 | Use proper means, for instance a firewall, to protect your computer
|
---|
37 | and your guest(s) from accesses from the outside. Choosing the proper
|
---|
38 | networking mode for VMs helps to separate host networking from the
|
---|
39 | guest and vice versa.
|
---|
40 | </para>
|
---|
41 | </glossdef>
|
---|
42 | </glossentry>
|
---|
43 |
|
---|
44 | <glossentry>
|
---|
45 | <glossterm>Follow the Principle of Least Privilege</glossterm>
|
---|
46 | <glossdef>
|
---|
47 | <para>
|
---|
48 | The principle of least privilege states that users should be given the
|
---|
49 | least amount of privilege necessary to perform their jobs. Always execute VirtualBox
|
---|
50 | as a regular user. We strongly discourage anyone from executing
|
---|
51 | VirtualBox with system privileges.
|
---|
52 | </para>
|
---|
53 | </glossdef>
|
---|
54 | </glossentry>
|
---|
55 |
|
---|
56 | <glossentry>
|
---|
57 | <glossterm>Monitor System Activity</glossterm>
|
---|
58 | <glossdef>
|
---|
59 | <para>
|
---|
60 | System security builds on three pillars: good security protocols, proper
|
---|
61 | system configuration and system monitoring. Auditing and reviewing audit
|
---|
62 | records address the third requirement. Each component within a system
|
---|
63 | has some degree of monitoring capability. Follow audit advice in this
|
---|
64 | document and regularly monitor audit records.
|
---|
65 | </para>
|
---|
66 | </glossdef>
|
---|
67 | </glossentry>
|
---|
68 |
|
---|
69 | <glossentry>
|
---|
70 | <glossterm>Keep Up To Date on Latest Security Information</glossterm>
|
---|
71 | <glossdef>
|
---|
72 | <para>
|
---|
73 | Oracle continually improves its software and documentation. Check this
|
---|
74 | note note yearly for revisions.
|
---|
75 | </para>
|
---|
76 | </glossdef>
|
---|
77 | </glossentry>
|
---|
78 |
|
---|
79 | </glosslist>
|
---|
80 | </para>
|
---|
81 | </sect2>
|
---|
82 | </sect1>
|
---|
83 |
|
---|
84 | <sect1>
|
---|
85 | <title>Secure Installation and Configuration</title>
|
---|
86 | </sect1>
|
---|
87 |
|
---|
88 | <sect2>
|
---|
89 | <title>Installation Overview</title>
|
---|
90 | <para>
|
---|
91 | The VirtualBox base package should be downloaded only from a trusted source,
|
---|
92 | for instance the official website
|
---|
93 | <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
|
---|
94 | The integrity of the package should be verified with the provided SHA256
|
---|
95 | checksum which can be found on the official website.
|
---|
96 | </para>
|
---|
97 | <para>
|
---|
98 | General VirtualBox installation instructions for the supported hosts
|
---|
99 | can be found in <xref linkend="installation"/>.
|
---|
100 | </para>
|
---|
101 | <para>
|
---|
102 | On Windows hosts, the installer allows to disable USB support, support
|
---|
103 | for bridged networking, support for host-only networking and the Python
|
---|
104 | language bindings, see <xref linkend="installation_windows"/>.
|
---|
105 | All these features are enabled by default but disabling some
|
---|
106 | of them could be appropriate if the corresponding functionality is not
|
---|
107 | required by any virtual machine. The Python language bindings are only
|
---|
108 | required if the VirtualBox API should be used by external Python
|
---|
109 | applications. In particular USB support and support
|
---|
110 | for the two networking modes induce the installation of Windows kernel
|
---|
111 | drivers at the host. Therefore disabling those selected features can
|
---|
112 | not only be used to restrict the user to a certain functionality but
|
---|
113 | also to minimize the surfaces provided to a potential attacker. </para>
|
---|
114 | <para>
|
---|
115 | The regular case is to install the complete VirtualBox package. The
|
---|
116 | installation must be done with system privileges. All VirtualBox binaries
|
---|
117 | should be executed as a regular user and never as a privileged user.
|
---|
118 | </para>
|
---|
119 | <para>
|
---|
120 | The Oracle VM VirtualBox extension pack provides additional features
|
---|
121 | and must be downloaded and installed separately, see
|
---|
122 | <xref linkend="intro-installing"/>. As for the base package, the SHA256
|
---|
123 | checksum of the extension pack should be verified. As the installation
|
---|
124 | requires system privileges, the VirtualBox GUI will ask for the system
|
---|
125 | password during the installation of the extension pack.
|
---|
126 | </para>
|
---|
127 | </sect2>
|
---|
128 |
|
---|
129 | <sect2>
|
---|
130 | <title>Post Installation Configuration</title>
|
---|
131 | <para>
|
---|
132 | Normally there is no post installation configuration of VirtualBox components
|
---|
133 | required. However, on Solaris and Linux hosts it is necessary to configure
|
---|
134 | the proper permissions for users executing VMs and who should be able to
|
---|
135 | access certain host resources. For instance, Linux users must be member of
|
---|
136 | the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
|
---|
137 | guest. If a serial host interface should be accessed from a VM, the proper
|
---|
138 | permissions must be granted to the user to be able to access that device.
|
---|
139 | The same applies to other resources like raw partitions, DVD/CD drives
|
---|
140 | and sound devices.
|
---|
141 | </para>
|
---|
142 | </sect2>
|
---|
143 |
|
---|
144 | <sect1>
|
---|
145 | <title>Security Features</title>
|
---|
146 | <para>This section outlines the specific security mechanisms offered
|
---|
147 | by VirtualBox.</para>
|
---|
148 |
|
---|
149 | <sect2>
|
---|
150 | <title>The Security Model</title>
|
---|
151 | <para>
|
---|
152 | One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
|
---|
153 | a guest by executing it in a protected environment, a virtual machine,
|
---|
154 | running as a user process on the host operating system. The guest cannot
|
---|
155 | communicate directly with the hardware or other computers but only through
|
---|
156 | the VMM. The VMM provides emulated physical resources and devices to the
|
---|
157 | guest which are accessed by the guest operating system to perform the required
|
---|
158 | tasks. The VM settings control the resources provided to the guest, for example
|
---|
159 | the amount of guest memory or the number of guest processors, (see
|
---|
160 | <xref linkend="generalsettings"/>) and the enabled features for that guest
|
---|
161 | (for example remote control, certain screen settings and others).
|
---|
162 | </para>
|
---|
163 | </sect2>
|
---|
164 |
|
---|
165 | <sect2>
|
---|
166 | <title>Secure Configuration of Virtual Machines</title>
|
---|
167 | <para>
|
---|
168 | Several aspects of a virtual machine configuration are subject to security
|
---|
169 | considerations.</para>
|
---|
170 |
|
---|
171 | <sect3>
|
---|
172 | <title>Networking</title>
|
---|
173 | <para>
|
---|
174 | The default networking mode for VMs is NAT which means that
|
---|
175 | the VM acts like a computer behind a router, see
|
---|
176 | <xref linkend="network_nat"/>. The guest is part of a private
|
---|
177 | subnet belonging to this VM and the guest IP is not visible
|
---|
178 | from the outside. This networking mode works without
|
---|
179 | any additional setup and is sufficient for many purposes.
|
---|
180 | </para>
|
---|
181 | <para>
|
---|
182 | If bridged networking is used, the VM acts like a computer inside
|
---|
183 | the same network as the host, see <xref linkend="network_bridged"/>.
|
---|
184 | In this case, the guest has the same network access as the host and
|
---|
185 | a firewall might be necessary to protect other computers on the
|
---|
186 | subnet from a potential malicious guest as well as to protect the
|
---|
187 | guest from a direct access from other computers. In some cases it is
|
---|
188 | worth considering using a forwarding rule for a specific port in NAT
|
---|
189 | mode instead of using bridged networking.
|
---|
190 | </para>
|
---|
191 | <para>
|
---|
192 | Some setups do not require a VM to be connected to the public network
|
---|
193 | at all. Internal networking (see <xref linkend="network_internal"/>)
|
---|
194 | or host-only networking (see <xref linkend="network_hostonly"/>)
|
---|
195 | are often sufficient to connect VMs among each other or to connect
|
---|
196 | VMs only with the host but not with the public network.
|
---|
197 | </para>
|
---|
198 | </sect3>
|
---|
199 |
|
---|
200 | <sect3>
|
---|
201 | <title>VRDP remote desktop authentication</title>
|
---|
202 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
203 | for VRDP remote desktop support, you can optionally use various
|
---|
204 | methods to configure RDP authentication. The "null" method is
|
---|
205 | very insecure and should be avoided in a public network.
|
---|
206 | See <xref linkend="vbox-auth" /> for details.</para>
|
---|
207 | </sect3>
|
---|
208 |
|
---|
209 | <sect3>
|
---|
210 | <title>Clipboard</title>
|
---|
211 | <para>
|
---|
212 | The shared clipboard allows users to share data between the host and
|
---|
213 | the guest. Enabling the clipboard in "Bidirectional" mode allows
|
---|
214 | the guest to read and write the host clipboard. The "Host to guest"
|
---|
215 | mode and the "Guest to host" mode limit the access to one
|
---|
216 | direction. If the guest is able to access the host clipboard it
|
---|
217 | could also access sensitive data from the host which is shared over
|
---|
218 | the clipboard.
|
---|
219 | </para>
|
---|
220 | </sect3>
|
---|
221 |
|
---|
222 | <sect3>
|
---|
223 | <title>3D graphics acceleration</title>
|
---|
224 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
225 | to additional security risks; see <xref
|
---|
226 | linkend="guestadd-3d" />.</para>
|
---|
227 | </sect3>
|
---|
228 |
|
---|
229 | <sect3>
|
---|
230 | <title>CD/DVD passthrough</title>
|
---|
231 | <para>Enabling CD/DVD passthrough allows the guest to perform advanced
|
---|
232 | operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
|
---|
233 | This could induce a security risk as a guest could overwrite data
|
---|
234 | on a CD/DVD medium.
|
---|
235 | </para>
|
---|
236 | </sect3>
|
---|
237 |
|
---|
238 | <sect3>
|
---|
239 | <title>USB passthrough</title>
|
---|
240 | <para>
|
---|
241 | Passing USB devices to the guest provides the guest full access
|
---|
242 | to these devices, see <xref linkend="settings-usb"/>. For instance,
|
---|
243 | in addition to reading and writing the content of the partitions
|
---|
244 | of an external USB disk the guest will be also able to read and
|
---|
245 | write the partition table and hardware data of that disk.
|
---|
246 | </para>
|
---|
247 | </sect3>
|
---|
248 |
|
---|
249 | </sect2>
|
---|
250 |
|
---|
251 | <sect2>
|
---|
252 | <title>Configuring and Using Authentication</title>
|
---|
253 |
|
---|
254 | <para>The following components of VirtualBox can use passwords for
|
---|
255 | authentication:<itemizedlist>
|
---|
256 |
|
---|
257 | <listitem>
|
---|
258 | <para>When using teleporting, passwords can optionally be used to
|
---|
259 | protect a machine waiting to be teleported from unauthorized access.
|
---|
260 | Note however that these passwords are stored <emphasis
|
---|
261 | role="bold">unencrypted</emphasis> in the machine configuration XML
|
---|
262 | and therefore potentially readable on the host. See <xref
|
---|
263 | linkend="teleporting" /> and <xref
|
---|
264 | linkend="vboxmanage-modifyvm-teleport" />.</para>
|
---|
265 | </listitem>
|
---|
266 |
|
---|
267 | <listitem>
|
---|
268 | <para>When using remote iSCSI storage and the storage server
|
---|
269 | requires authentication, a password can optionally be supplied with
|
---|
270 | the <computeroutput>VBoxManage storageattach</computeroutput>
|
---|
271 | command. Note however that this is stored <emphasis
|
---|
272 | role="bold">unencrypted</emphasis> in the machine configuration and
|
---|
273 | is therefore potentially readable on the host. See <xref
|
---|
274 | linkend="storage-iscsi" /> and <xref
|
---|
275 | linkend="vboxmanage-storageattach" />.</para>
|
---|
276 | </listitem>
|
---|
277 |
|
---|
278 | <listitem>
|
---|
279 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
280 | host remotely, connections to the web service are authenticated in
|
---|
281 | various ways. This is described in detail in the VirtualBox Software
|
---|
282 | Development Kit (SDK) reference; please see <xref
|
---|
283 | linkend="VirtualBoxAPI" />.</para>
|
---|
284 | </listitem>
|
---|
285 | </itemizedlist></para>
|
---|
286 | </sect2>
|
---|
287 |
|
---|
288 | <!--
|
---|
289 | <sect2>
|
---|
290 | <title>Configuring and Using Access Control</title>
|
---|
291 | </sect2>
|
---|
292 |
|
---|
293 | <sect2>
|
---|
294 | <title>Configuring and Using Security Audit</title>
|
---|
295 | </sect2>
|
---|
296 |
|
---|
297 | <sect2>
|
---|
298 | <title>Congiguring and Using Other Security Features</title>
|
---|
299 | </sect2>
|
---|
300 | -->
|
---|
301 |
|
---|
302 | <sect2>
|
---|
303 | <title>Potentially insecure operations</title>
|
---|
304 |
|
---|
305 | <para>The following features of VirtualBox can present security
|
---|
306 | problems:<itemizedlist>
|
---|
307 | <listitem>
|
---|
308 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
309 | to additional security risks; see <xref
|
---|
310 | linkend="guestadd-3d" />.</para>
|
---|
311 | </listitem>
|
---|
312 |
|
---|
313 | <listitem>
|
---|
314 | <para>When teleporting a machine, the data stream through which the
|
---|
315 | machine's memory contents are transferred from one host to another
|
---|
316 | is not encrypted. A third party with access to the network through
|
---|
317 | which the data is transferred could therefore intercept that
|
---|
318 | data.</para>
|
---|
319 | </listitem>
|
---|
320 |
|
---|
321 | <listitem>
|
---|
322 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
323 | host remotely, connections to the web service (through which the API
|
---|
324 | calls are transferred via SOAP XML) are not encrypted, but use plain
|
---|
325 | HTTP. This is a potential security risk! For details about the web
|
---|
326 | service, please see <xref linkend="VirtualBoxAPI" />.</para>
|
---|
327 | </listitem>
|
---|
328 |
|
---|
329 | <listitem>
|
---|
330 | <para>Traffic sent over a UDP Tunnel network attachment is not
|
---|
331 | encrypted. You can either encrypt it on the host network level (with
|
---|
332 | IPsec), or use encrypted protocols in the guest network (such as
|
---|
333 | SSH). The security properties are similar to bridged Ethernet.</para>
|
---|
334 | </listitem>
|
---|
335 | </itemizedlist></para>
|
---|
336 | </sect2>
|
---|
337 |
|
---|
338 | <sect2>
|
---|
339 | <title>Encryption</title>
|
---|
340 |
|
---|
341 | <para>The following components of VirtualBox use encryption to protect
|
---|
342 | sensitive data:<itemizedlist>
|
---|
343 | <listitem>
|
---|
344 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
345 | for VRDP remote desktop support, RDP data can optionally be
|
---|
346 | encrypted. See <xref linkend="vrde-crypt" /> for details. Only
|
---|
347 | the Enhanced RDP Security method (RDP5.2) with TLS protocol
|
---|
348 | provides a secure connection. Standard RDP Security (RDP4 and
|
---|
349 | RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
|
---|
350 | </listitem>
|
---|
351 | </itemizedlist></para>
|
---|
352 | </sect2>
|
---|
353 | </sect1>
|
---|
354 |
|
---|
355 | <!--
|
---|
356 | <sect1>
|
---|
357 | <title>Security Considerations for Developers</title>
|
---|
358 | </sect1>
|
---|
359 | -->
|
---|
360 |
|
---|
361 | </chapter>
|
---|