1 | <?xml version="1.0" encoding="UTF-8"?>
|
---|
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
---|
4 | <chapter id="Security">
|
---|
5 | <title>Security guide</title>
|
---|
6 |
|
---|
7 | <sect1>
|
---|
8 | <title>General Security Principles</title>
|
---|
9 |
|
---|
10 | <para>The following principles are fundamental to using any application
|
---|
11 | securely.
|
---|
12 | <glosslist>
|
---|
13 | <glossentry>
|
---|
14 | <glossterm>Keep Software Up To Date</glossterm>
|
---|
15 | <glossdef>
|
---|
16 | <para>
|
---|
17 | One of the principles of good security practise is to keep all
|
---|
18 | software versions and patches up to date. Activate the VirtualBox
|
---|
19 | update notification to get notified when a new VirtualBox release
|
---|
20 | is available. When updating VirtualBox, do not forget to update
|
---|
21 | the Guest Additions. Keep the host operating system as well as the
|
---|
22 | guest operating system up to date.
|
---|
23 | </para>
|
---|
24 | </glossdef>
|
---|
25 | </glossentry>
|
---|
26 |
|
---|
27 | <glossentry>
|
---|
28 | <glossterm>Restrict Network Access to Critical Services</glossterm>
|
---|
29 | <glossdef>
|
---|
30 | <para>
|
---|
31 | Use proper means, for instance a firewall, to protect your computer
|
---|
32 | and your guest(s) from accesses from the outside. Choosing the proper
|
---|
33 | networking mode for VMs helps to separate host networking from the
|
---|
34 | guest and vice versa.
|
---|
35 | </para>
|
---|
36 | </glossdef>
|
---|
37 | </glossentry>
|
---|
38 |
|
---|
39 | <glossentry>
|
---|
40 | <glossterm>Follow the Principle of Least Privilege</glossterm>
|
---|
41 | <glossdef>
|
---|
42 | <para>
|
---|
43 | The principle of least privilege states that users should be given the
|
---|
44 | least amount of privilege necessary to perform their jobs. Always execute VirtualBox
|
---|
45 | as a regular user. We strongly discourage anyone from executing
|
---|
46 | VirtualBox with system privileges.
|
---|
47 | </para>
|
---|
48 | <para>
|
---|
49 | Choose restrictive permissions when creating configuration files,
|
---|
50 | for instance when creating /etc/default/virtualbox, see
|
---|
51 | <xref linkend="linux_install_opts"/>. Mode 0600 would be preferred.
|
---|
52 | </para>
|
---|
53 | </glossdef>
|
---|
54 | </glossentry>
|
---|
55 |
|
---|
56 | <glossentry>
|
---|
57 | <glossterm>Monitor System Activity</glossterm>
|
---|
58 | <glossdef>
|
---|
59 | <para>
|
---|
60 | System security builds on three pillars: good security protocols, proper
|
---|
61 | system configuration and system monitoring. Auditing and reviewing audit
|
---|
62 | records address the third requirement. Each component within a system
|
---|
63 | has some degree of monitoring capability. Follow audit advice in this
|
---|
64 | document and regularly monitor audit records.
|
---|
65 | </para>
|
---|
66 | </glossdef>
|
---|
67 | </glossentry>
|
---|
68 |
|
---|
69 | <glossentry>
|
---|
70 | <glossterm>Keep Up To Date on Latest Security Information</glossterm>
|
---|
71 | <glossdef>
|
---|
72 | <para>
|
---|
73 | Oracle continually improves its software and documentation. Check this
|
---|
74 | note yearly for revisions.
|
---|
75 | </para>
|
---|
76 | </glossdef>
|
---|
77 | </glossentry>
|
---|
78 |
|
---|
79 | </glosslist>
|
---|
80 | </para>
|
---|
81 | </sect1>
|
---|
82 |
|
---|
83 | <sect1>
|
---|
84 | <title>Secure Installation and Configuration</title>
|
---|
85 |
|
---|
86 | <sect2>
|
---|
87 | <title>Installation Overview</title>
|
---|
88 | <para>
|
---|
89 | The VirtualBox base package should be downloaded only from a trusted source,
|
---|
90 | for instance the official website
|
---|
91 | <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
|
---|
92 | The integrity of the package should be verified with the provided SHA256
|
---|
93 | checksum which can be found on the official website.
|
---|
94 | </para>
|
---|
95 | <para>
|
---|
96 | General VirtualBox installation instructions for the supported hosts
|
---|
97 | can be found in <xref linkend="installation"/>.
|
---|
98 | </para>
|
---|
99 | <para>
|
---|
100 | On Windows hosts, the installer allows for disabling USB support, support
|
---|
101 | for bridged networking, support for host-only networking and the Python
|
---|
102 | language bindings, see <xref linkend="installation_windows"/>.
|
---|
103 | All these features are enabled by default but disabling some
|
---|
104 | of them could be appropriate if the corresponding functionality is not
|
---|
105 | required by any virtual machine. The Python language bindings are only
|
---|
106 | required if the VirtualBox API is to be used by external Python
|
---|
107 | applications. In particular USB support and support
|
---|
108 | for the two networking modes require the installation of Windows kernel
|
---|
109 | drivers on the host. Therefore disabling those selected features can
|
---|
110 | not only be used to restrict the user to certain functionality but
|
---|
111 | also to minimize the surface provided to a potential attacker. </para>
|
---|
112 | <para>
|
---|
113 | The general case is to install the complete VirtualBox package. The
|
---|
114 | installation must be done with system privileges. All VirtualBox binaries
|
---|
115 | should be executed as a regular user and never as a privileged user.
|
---|
116 | </para>
|
---|
117 | <para>
|
---|
118 | The Oracle VM VirtualBox extension pack provides additional features
|
---|
119 | and must be downloaded and installed separately, see
|
---|
120 | <xref linkend="intro-installing"/>. As for the base package, the SHA256
|
---|
121 | checksum of the extension pack should be verified. As the installation
|
---|
122 | requires system privileges, VirtualBox will ask for the system
|
---|
123 | password during the installation of the extension pack.
|
---|
124 | </para>
|
---|
125 | </sect2>
|
---|
126 |
|
---|
127 | <sect2>
|
---|
128 | <title>Post Installation Configuration</title>
|
---|
129 | <para>
|
---|
130 | Normally there is no post installation configuration of VirtualBox components
|
---|
131 | required. However, on Solaris and Linux hosts it is necessary to configure
|
---|
132 | the proper permissions for users executing VMs and who should be able to
|
---|
133 | access certain host resources. For instance, Linux users must be member of
|
---|
134 | the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
|
---|
135 | guest. If a serial host interface should be accessed from a VM, the proper
|
---|
136 | permissions must be granted to the user to be able to access that device.
|
---|
137 | The same applies to other resources like raw partitions, DVD/CD drives
|
---|
138 | and sound devices.
|
---|
139 | </para>
|
---|
140 | </sect2>
|
---|
141 | </sect1>
|
---|
142 |
|
---|
143 | <sect1>
|
---|
144 | <title>Security Features</title>
|
---|
145 | <para>This section outlines the specific security mechanisms offered
|
---|
146 | by VirtualBox.</para>
|
---|
147 |
|
---|
148 | <sect2>
|
---|
149 | <title>The Security Model</title>
|
---|
150 | <para>
|
---|
151 | One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
|
---|
152 | a guest by executing it in a protected environment, a virtual machine,
|
---|
153 | running as a user process on the host operating system. The guest cannot
|
---|
154 | communicate directly with the hardware or other computers but only through
|
---|
155 | the VMM. The VMM provides emulated physical resources and devices to the
|
---|
156 | guest which are accessed by the guest operating system to perform the required
|
---|
157 | tasks. The VM settings control the resources provided to the guest, for example
|
---|
158 | the amount of guest memory or the number of guest processors, (see
|
---|
159 | <xref linkend="generalsettings"/>) and the enabled features for that guest
|
---|
160 | (for example remote control, certain screen settings and others).
|
---|
161 | </para>
|
---|
162 | </sect2>
|
---|
163 |
|
---|
164 | <sect2>
|
---|
165 | <title>Secure Configuration of Virtual Machines</title>
|
---|
166 | <para>
|
---|
167 | Several aspects of a virtual machine configuration are subject to security
|
---|
168 | considerations.</para>
|
---|
169 |
|
---|
170 | <sect3>
|
---|
171 | <title>Networking</title>
|
---|
172 | <para>
|
---|
173 | The default networking mode for VMs is NAT which means that
|
---|
174 | the VM acts like a computer behind a router, see
|
---|
175 | <xref linkend="network_nat"/>. The guest is part of a private
|
---|
176 | subnet belonging to this VM and the guest IP is not visible
|
---|
177 | from the outside. This networking mode works without
|
---|
178 | any additional setup and is sufficient for many purposes.
|
---|
179 | </para>
|
---|
180 | <para>
|
---|
181 | If bridged networking is used, the VM acts like a computer inside
|
---|
182 | the same network as the host, see <xref linkend="network_bridged"/>.
|
---|
183 | In this case, the guest has the same network access as the host and
|
---|
184 | a firewall might be necessary to protect other computers on the
|
---|
185 | subnet from a potential malicious guest as well as to protect the
|
---|
186 | guest from a direct access from other computers. In some cases it is
|
---|
187 | worth considering using a forwarding rule for a specific port in NAT
|
---|
188 | mode instead of using bridged networking.
|
---|
189 | </para>
|
---|
190 | <para>
|
---|
191 | Some setups do not require a VM to be connected to the public network
|
---|
192 | at all. Internal networking (see <xref linkend="network_internal"/>)
|
---|
193 | or host-only networking (see <xref linkend="network_hostonly"/>)
|
---|
194 | are often sufficient to connect VMs among each other or to connect
|
---|
195 | VMs only with the host but not with the public network.
|
---|
196 | </para>
|
---|
197 | </sect3>
|
---|
198 |
|
---|
199 | <sect3>
|
---|
200 | <title>VRDP remote desktop authentication</title>
|
---|
201 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
202 | for VRDP remote desktop support, you can optionally use various
|
---|
203 | methods to configure RDP authentication. The "null" method is
|
---|
204 | very insecure and should be avoided in a public network.
|
---|
205 | See <xref linkend="vbox-auth" /> for details.</para>
|
---|
206 | </sect3>
|
---|
207 |
|
---|
208 | <sect3 id="security_clipboard">
|
---|
209 | <title>Clipboard</title>
|
---|
210 | <para>
|
---|
211 | The shared clipboard allows users to share data between the host and
|
---|
212 | the guest. Enabling the clipboard in "Bidirectional" mode allows
|
---|
213 | the guest to read and write the host clipboard. The "Host to guest"
|
---|
214 | mode and the "Guest to host" mode limit the access to one
|
---|
215 | direction. If the guest is able to access the host clipboard it
|
---|
216 | can also potentially access sensitive data from the host which is
|
---|
217 | shared over the clipboard.
|
---|
218 | </para>
|
---|
219 | <para>
|
---|
220 | If the guest is able to read from and/or write to the host clipboard
|
---|
221 | then a remote user connecting to the guest over the network will also
|
---|
222 | gain this ability, which may not be desirable. As a consequence, the
|
---|
223 | shared clipboard is disabled for new machines.
|
---|
224 | </para>
|
---|
225 | </sect3>
|
---|
226 |
|
---|
227 | <sect3>
|
---|
228 | <title>Shared folders</title>
|
---|
229 | <para>If any host folder is shared with the guest then a remote
|
---|
230 | user connected to the guest over the network can access
|
---|
231 | these files too as the folder sharing mechanism cannot be
|
---|
232 | selectively disabled for remote users.
|
---|
233 | </para>
|
---|
234 | </sect3>
|
---|
235 |
|
---|
236 | <sect3>
|
---|
237 | <title>3D graphics acceleration</title>
|
---|
238 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
239 | to additional security risks; see <xref
|
---|
240 | linkend="guestadd-3d" />.</para>
|
---|
241 | </sect3>
|
---|
242 |
|
---|
243 | <sect3>
|
---|
244 | <title>CD/DVD passthrough</title>
|
---|
245 | <para>Enabling CD/DVD passthrough allows the guest to perform advanced
|
---|
246 | operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
|
---|
247 | This could induce a security risk as a guest could overwrite data
|
---|
248 | on a CD/DVD medium.
|
---|
249 | </para>
|
---|
250 | </sect3>
|
---|
251 |
|
---|
252 | <sect3>
|
---|
253 | <title>USB passthrough</title>
|
---|
254 | <para>
|
---|
255 | Passing USB devices to the guest provides the guest full access
|
---|
256 | to these devices, see <xref linkend="settings-usb"/>. For instance,
|
---|
257 | in addition to reading and writing the content of the partitions
|
---|
258 | of an external USB disk the guest will be also able to read and
|
---|
259 | write the partition table and hardware data of that disk.
|
---|
260 | </para>
|
---|
261 | </sect3>
|
---|
262 |
|
---|
263 | </sect2>
|
---|
264 |
|
---|
265 | <sect2>
|
---|
266 | <title>Configuring and Using Authentication</title>
|
---|
267 |
|
---|
268 | <para>The following components of VirtualBox can use passwords for
|
---|
269 | authentication:<itemizedlist>
|
---|
270 |
|
---|
271 | <listitem>
|
---|
272 | <para>When using remote iSCSI storage and the storage server
|
---|
273 | requires authentication, an initiator secret can optionally be supplied
|
---|
274 | with the <computeroutput>VBoxManage storageattach</computeroutput>
|
---|
275 | command. As long as no settings password is provided (command line
|
---|
276 | option <screen>--settingspwfile</screen>, this secret is
|
---|
277 | stored <emphasis role="bold">unencrypted</emphasis> in the machine
|
---|
278 | configuration and is therefore potentially readable on the host.
|
---|
279 | See <xref
|
---|
280 | linkend="storage-iscsi" /> and <xref
|
---|
281 | linkend="vboxmanage-storageattach" />.</para>
|
---|
282 | </listitem>
|
---|
283 |
|
---|
284 | <listitem>
|
---|
285 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
286 | host remotely, connections to the web service are authenticated in
|
---|
287 | various ways. This is described in detail in the VirtualBox Software
|
---|
288 | Development Kit (SDK) reference; please see <xref
|
---|
289 | linkend="VirtualBoxAPI" />.</para>
|
---|
290 | </listitem>
|
---|
291 | </itemizedlist></para>
|
---|
292 | </sect2>
|
---|
293 |
|
---|
294 | <!--
|
---|
295 | <sect2>
|
---|
296 | <title>Configuring and Using Access Control</title>
|
---|
297 | </sect2>
|
---|
298 |
|
---|
299 | <sect2>
|
---|
300 | <title>Configuring and Using Security Audit</title>
|
---|
301 | </sect2>
|
---|
302 |
|
---|
303 | <sect2>
|
---|
304 | <title>Congiguring and Using Other Security Features</title>
|
---|
305 | </sect2>
|
---|
306 | -->
|
---|
307 |
|
---|
308 | <sect2 id="pot-insecure">
|
---|
309 | <title>Potentially insecure operations</title>
|
---|
310 |
|
---|
311 | <para>The following features of VirtualBox can present security
|
---|
312 | problems:<itemizedlist>
|
---|
313 | <listitem>
|
---|
314 | <para>Enabling 3D graphics via the Guest Additions exposes the host
|
---|
315 | to additional security risks; see <xref
|
---|
316 | linkend="guestadd-3d" />.</para>
|
---|
317 | </listitem>
|
---|
318 |
|
---|
319 | <listitem>
|
---|
320 | <para>When teleporting a machine, the data stream through which the
|
---|
321 | machine's memory contents are transferred from one host to another
|
---|
322 | is not encrypted. A third party with access to the network through
|
---|
323 | which the data is transferred could therefore intercept that
|
---|
324 | data. An SSH tunnel could be used to secure the connection between
|
---|
325 | the two hosts. But when considering teleporting a VM over an untrusted
|
---|
326 | network the first question to answer is how both VMs can securely
|
---|
327 | access the same virtual disk image(s) with a reasonable performance. </para>
|
---|
328 | </listitem>
|
---|
329 |
|
---|
330 | <listitem>
|
---|
331 | <para>When Page Fusion (see <xref linkend="guestadd-pagefusion"/>)
|
---|
332 | is enabled, it is possible that a side-channel opens up that allows
|
---|
333 | a malicious guest to determine the address space layout (i.e. where
|
---|
334 | DLLs are typically loaded) of one other VM running on the same host.
|
---|
335 | This information leak in it self is harmless, however the malicious
|
---|
336 | guest may use it to optimize attack against that VM via unrelated
|
---|
337 | attack vectors. It is recommended to only enable Page Fusion if you
|
---|
338 | do not think this is a concern in your setup.</para>
|
---|
339 | </listitem>
|
---|
340 |
|
---|
341 | <listitem>
|
---|
342 | <para>When using the VirtualBox web service to control a VirtualBox
|
---|
343 | host remotely, connections to the web service (through which the API
|
---|
344 | calls are transferred via SOAP XML) are not encrypted, but use plain
|
---|
345 | HTTP by default. This is a potential security risk! For details about
|
---|
346 | the web service, please see <xref linkend="VirtualBoxAPI" />.</para>
|
---|
347 | <para>The web services are not started by default. Please refer to
|
---|
348 | <xref linkend="vboxwebsrv-daemon"/> to find out how to start this
|
---|
349 | service and how to enable SSL/TLS support. It has to be started as
|
---|
350 | a regular user and only the VMs of that user can be controlled. By
|
---|
351 | default, the service binds to localhost preventing any remote connection.</para>
|
---|
352 | </listitem>
|
---|
353 |
|
---|
354 | <listitem>
|
---|
355 | <para>Traffic sent over a UDP Tunnel network attachment is not
|
---|
356 | encrypted. You can either encrypt it on the host network level (with
|
---|
357 | IPsec), or use encrypted protocols in the guest network (such as
|
---|
358 | SSH). The security properties are similar to bridged Ethernet.</para>
|
---|
359 | </listitem>
|
---|
360 |
|
---|
361 | <listitem>
|
---|
362 | <para>Because of shortcomings in older Windows versions, using
|
---|
363 | VirtualBox on Windows versions older than Vista with Service Pack 1
|
---|
364 | is not recommended.</para>
|
---|
365 | </listitem>
|
---|
366 |
|
---|
367 | </itemizedlist></para>
|
---|
368 | </sect2>
|
---|
369 |
|
---|
370 | <sect2>
|
---|
371 | <title>Encryption</title>
|
---|
372 |
|
---|
373 | <para>The following components of VirtualBox use encryption to protect
|
---|
374 | sensitive data:<itemizedlist>
|
---|
375 | <listitem>
|
---|
376 | <para>When using the VirtualBox extension pack provided by Oracle
|
---|
377 | for VRDP remote desktop support, RDP data can optionally be
|
---|
378 | encrypted. See <xref linkend="vrde-crypt" /> for details. Only
|
---|
379 | the Enhanced RDP Security method (RDP5.2) with TLS protocol
|
---|
380 | provides a secure connection. Standard RDP Security (RDP4 and
|
---|
381 | RDP5.1) is vulnerable to a man-in-the-middle attack.</para>
|
---|
382 | </listitem>
|
---|
383 | </itemizedlist></para>
|
---|
384 | </sect2>
|
---|
385 | </sect1>
|
---|
386 |
|
---|
387 | <!--
|
---|
388 | <sect1>
|
---|
389 | <title>Security Considerations for Developers</title>
|
---|
390 | </sect1>
|
---|
391 | -->
|
---|
392 |
|
---|
393 | </chapter>
|
---|