VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 74854

Last change on this file since 74854 was 73276, checked in by vboxsync, 6 years ago

doc/manual: Big build system overhaul, because the use of entities and catalogs eliminates the need to have placeholders in XML which previously needed separate preprocessing. Many cleanups, including replacing almost all pattern rules (since their dependencies had to be too generous) and using defines instead. Also integrated many cleanups for the user manual text (which needs careful review, couldn't check yet if it uses any additional tags which some of our XSLT would ignore).
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 18.1 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="Security">
8
9 <title>Security Guide</title>
10
11 <sect1 id="security-general">
12
13 <title>General Security Principles</title>
14
15 <para>
16 The following principles are fundamental to using any application
17 securely.
18 </para>
19
20 <itemizedlist>
21
22 <listitem>
23 <para>
24 <emphasis role="strong">Keep software up to date</emphasis>.
25 One of the principles of good security practise is to keep all
26 software versions and patches up to date. Activate the
27 VirtualBox update notification to get notified when a new
28 VirtualBox release is available. When updating VirtualBox, do
29 not forget to update the Guest Additions. Keep the host
30 operating system as well as the guest operating system up to
31 date.
32 </para>
33 </listitem>
34
35 <listitem>
36 <para>
37 <emphasis role="strong">Restrict network access to critical
38 services.</emphasis> Use proper means, for instance a
39 firewall, to protect your computer and your guests from
40 accesses from the outside. Choosing the proper networking mode
41 for VMs helps to separate host networking from the guest and
42 vice versa.
43 </para>
44 </listitem>
45
46 <listitem>
47 <para>
48 <emphasis role="strong">Follow the principle of least
49 privilege.</emphasis> The principle of least privilege states
50 that users should be given the least amount of privilege
51 necessary to perform their jobs. Always execute VirtualBox as
52 a regular user. We strongly discourage anyone from executing
53 VirtualBox with system privileges.
54 </para>
55
56 <para>
57 Choose restrictive permissions when creating configuration
58 files, for instance when creating /etc/default/virtualbox, see
59 <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
60 </para>
61 </listitem>
62
63 <listitem>
64 <para>
65 <emphasis role="strong"> Monitor system activity.</emphasis>
66 System security builds on three pillars: good security
67 protocols, proper system configuration and system monitoring.
68 Auditing and reviewing audit records address the third
69 requirement. Each component within a system has some degree of
70 monitoring capability. Follow audit advice in this document
71 and regularly monitor audit records.
72 </para>
73 </listitem>
74
75 <listitem>
76 <para>
77 <emphasis role="strong">Keep up to date on latest security
78 information.</emphasis> Oracle continually improves its
79 software and documentation. Check this note yearly for
80 revisions.
81 </para>
82 </listitem>
83
84 </itemizedlist>
85
86 </sect1>
87
88 <sect1 id="security-secure-install">
89
90 <title>Secure Installation and Configuration</title>
91
92 <sect2 id="security-secure-install-overview">
93
94 <title>Installation Overview</title>
95
96 <para>
97 The VirtualBox base package should be downloaded only from a
98 trusted source, for instance the official website
99 <ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
100 The integrity of the package should be verified with the
101 provided SHA256 checksum which can be found on the official
102 website.
103 </para>
104
105 <para>
106 General VirtualBox installation instructions for the supported
107 hosts can be found in <xref linkend="installation"/>.
108 </para>
109
110 <para>
111 On Windows hosts, the installer allows for disabling USB
112 support, support for bridged networking, support for host-only
113 networking and the Python language binding. See
114 <xref linkend="installation_windows"/>. All these features are
115 enabled by default but disabling some of them could be
116 appropriate if the corresponding functionality is not required
117 by any virtual machine. The Python language bindings are only
118 required if the VirtualBox API is to be used by external Python
119 applications. In particular USB support and support for the two
120 networking modes require the installation of Windows kernel
121 drivers on the host. Therefore disabling those selected features
122 can not only be used to restrict the user to certain
123 functionality but also to minimize the surface provided to a
124 potential attacker.
125 </para>
126
127 <para>
128 The general case is to install the complete VirtualBox package.
129 The installation must be done with system privileges. All
130 VirtualBox binaries should be executed as a regular user and
131 never as a privileged user.
132 </para>
133
134 <para>
135 The Oracle VM VirtualBox extension pack provides additional
136 features and must be downloaded and installed separately, see
137 <xref linkend="intro-installing"/>. As for the base package, the
138 SHA256 checksum of the extension pack should be verified. As the
139 installation requires system privileges, VirtualBox will ask for
140 the system password during the installation of the extension
141 pack.
142 </para>
143
144 </sect2>
145
146 <sect2 id="security-secure-install-postinstall">
147
148 <title>Post Installation Configuration</title>
149
150 <para>
151 Normally there is no post installation configuration of
152 VirtualBox components required. However, on Solaris and Linux
153 hosts it is necessary to configure the proper permissions for
154 users executing VMs and who should be able to access certain
155 host resources. For instance, Linux users must be member of the
156 <emphasis>vboxusers</emphasis> group to be able to pass USB
157 devices to a guest. If a serial host interface should be
158 accessed from a VM, the proper permissions must be granted to
159 the user to be able to access that device. The same applies to
160 other resources like raw partitions, DVD/CD drives, and sound
161 devices.
162 </para>
163
164 </sect2>
165
166 </sect1>
167
168 <sect1 id="security-features">
169
170 <title>Security Features</title>
171
172 <para>
173 This section outlines the specific security mechanisms offered by
174 VirtualBox.
175 </para>
176
177 <sect2 id="security-model">
178
179 <title>The Security Model</title>
180
181 <para>
182 One property of virtual machine monitors (VMMs) like VirtualBox
183 is to encapsulate a guest by executing it in a protected
184 environment, a virtual machine, running as a user process on the
185 host operating system. The guest cannot communicate directly
186 with the hardware or other computers but only through the VMM.
187 The VMM provides emulated physical resources and devices to the
188 guest which are accessed by the guest operating system to
189 perform the required tasks. The VM settings control the
190 resources provided to the guest, for example the amount of guest
191 memory or the number of guest processors and the enabled
192 features for that guest. For example remote control, certain
193 screen settings and others. See
194 <xref linkend="generalsettings"/>.
195 </para>
196
197 </sect2>
198
199 <sect2 id="secure-config-vms">
200
201 <title>Secure Configuration of Virtual Machines</title>
202
203 <para>
204 Several aspects of a virtual machine configuration are subject
205 to security considerations.
206 </para>
207
208 <sect3 id="security-networking">
209
210 <title>Networking</title>
211
212 <para>
213 The default networking mode for VMs is NAT which means that
214 the VM acts like a computer behind a router, see
215 <xref linkend="network_nat"/>. The guest is part of a private
216 subnet belonging to this VM and the guest IP is not visible
217 from the outside. This networking mode works without any
218 additional setup and is sufficient for many purposes.
219 </para>
220
221 <para>
222 If bridged networking is used, the VM acts like a computer
223 inside the same network as the host, see
224 <xref linkend="network_bridged"/>. In this case, the guest has
225 the same network access as the host and a firewall might be
226 necessary to protect other computers on the subnet from a
227 potential malicious guest as well as to protect the guest from
228 a direct access from other computers. In some cases it is
229 worth considering using a forwarding rule for a specific port
230 in NAT mode instead of using bridged networking.
231 </para>
232
233 <para>
234 Some setups do not require a VM to be connected to the public
235 network at all. Internal networking, see
236 <xref linkend="network_internal"/>, or host-only networking,
237 see <xref linkend="network_hostonly"/>, are often sufficient
238 to connect VMs among each other or to connect VMs only with
239 the host but not with the public network.
240 </para>
241
242 </sect3>
243
244 <sect3 id="security-vrdp-auth">
245
246 <title>VRDP Remote Desktop Authentication</title>
247
248 <para>
249 When using the VirtualBox extension pack provided by Oracle
250 for VRDP remote desktop support, you can optionally use
251 various methods to configure RDP authentication. The "null"
252 method is very insecure and should be avoided in a public
253 network. See <xref linkend="vbox-auth" />.
254 </para>
255
256 </sect3>
257
258 <sect3 id="security_clipboard">
259
260 <title>Clipboard</title>
261
262 <para>
263 The shared clipboard allows users to share data between the
264 host and the guest. Enabling the clipboard in Bidirectional
265 mode allows the guest to read and write the host clipboard.
266 The Host to Guest mode and the Guest to Host mode limit the
267 access to one direction. If the guest is able to access the
268 host clipboard it can also potentially access sensitive data
269 from the host which is shared over the clipboard.
270 </para>
271
272 <para>
273 If the guest is able to read from and/or write to the host
274 clipboard then a remote user connecting to the guest over the
275 network will also gain this ability, which may not be
276 desirable. As a consequence, the shared clipboard is disabled
277 for new machines.
278 </para>
279
280 </sect3>
281
282 <sect3 id="security-shared-folders">
283
284 <title>Shared Folders</title>
285
286 <para>
287 If any host folder is shared with the guest then a remote user
288 connected to the guest over the network can access these files
289 too as the folder sharing mechanism cannot be selectively
290 disabled for remote users.
291 </para>
292
293 </sect3>
294
295 <sect3 id="security-3d-graphics">
296
297 <title>3D Graphics Acceleration</title>
298
299 <para>
300 Enabling 3D graphics via the Guest Additions exposes the host
301 to additional security risks. See
302 <xref
303 linkend="guestadd-3d" />.
304 </para>
305
306 </sect3>
307
308 <sect3 id="security-cd-dvd-passthrough">
309
310 <title>CD/DVD Passthrough</title>
311
312 <para>
313 Enabling CD/DVD passthrough allows the guest to perform
314 advanced operations on the CD/DVD drive, see
315 <xref linkend="storage-cds"/>. This could induce a security
316 risk as a guest could overwrite data on a CD/DVD medium.
317 </para>
318
319 </sect3>
320
321 <sect3 id="security-usb-passthrough">
322
323 <title>USB Passthrough</title>
324
325 <para>
326 Passing USB devices to the guest provides the guest full
327 access to these devices, see <xref linkend="settings-usb"/>.
328 For instance, in addition to reading and writing the content
329 of the partitions of an external USB disk the guest will be
330 also able to read and write the partition table and hardware
331 data of that disk.
332 </para>
333
334 </sect3>
335
336 </sect2>
337
338 <sect2 id="auth-config-using">
339
340 <title>Configuring and Using Authentication</title>
341
342 <para>
343 The following components of VirtualBox can use passwords for
344 authentication:
345 </para>
346
347 <itemizedlist>
348
349 <listitem>
350 <para>
351 When using remote iSCSI storage and the storage server
352 requires authentication, an initiator secret can optionally
353 be supplied with the <computeroutput>VBoxManage
354 storageattach</computeroutput> command. As long as no
355 settings password is provided, by using the command line
356 option <option>--settingspwfile</option>, then this secret
357 is stored <emphasis>unencrypted</emphasis> in the machine
358 configuration and is therefore potentially readable on the
359 host. See <xref
360 linkend="storage-iscsi" /> and
361 <xref
362 linkend="vboxmanage-storageattach" />.
363 </para>
364 </listitem>
365
366 <listitem>
367 <para>
368 When using the VirtualBox web service to control a
369 VirtualBox host remotely, connections to the web service are
370 authenticated in various ways. This is described in detail
371 in the VirtualBox Software Development Kit (SDK) reference.
372 See <xref
373 linkend="VirtualBoxAPI" />.
374 </para>
375 </listitem>
376
377 </itemizedlist>
378
379 </sect2>
380
381<!--
382 <sect2 id="access-control-config-using">
383 <title>Configuring and Using Access Control</title>
384 </sect2>
385
386 <sect2 id="security-audit-config-using">
387 <title>Configuring and Using Security Audit</title>
388 </sect2>
389
390 <sect2 id="security-other-features-config-using">
391 <title>Configuring and Using Other Security Features</title>
392 </sect2>
393 -->
394
395 <sect2 id="pot-insecure">
396
397 <title>Potentially Insecure Operations</title>
398
399 <para>
400 The following features of VirtualBox can present security
401 problems:
402 </para>
403
404 <itemizedlist>
405
406 <listitem>
407 <para>
408 Enabling 3D graphics via the Guest Additions exposes the
409 host to additional security risks. See
410 <xref
411 linkend="guestadd-3d" />.
412 </para>
413 </listitem>
414
415 <listitem>
416 <para>
417 When teleporting a machine, the data stream through which
418 the machine's memory contents are transferred from one host
419 to another is not encrypted. A third party with access to
420 the network through which the data is transferred could
421 therefore intercept that data. An SSH tunnel could be used
422 to secure the connection between the two hosts. But when
423 considering teleporting a VM over an untrusted network the
424 first question to answer is how both VMs can securely access
425 the same virtual disk image with a reasonable performance.
426 </para>
427 </listitem>
428
429 <listitem>
430 <para>
431 When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
432 is enabled, it is possible that a side-channel opens up that
433 allows a malicious guest to determine the address space of
434 another VM running on the same host layout. For example,
435 where DLLs are typically loaded. This information leak in
436 itself is harmless, however the malicious guest may use it
437 to optimize attack against that VM via unrelated attack
438 vectors. It is recommended to only enable Page Fusion if you
439 do not think this is a concern in your setup.
440 </para>
441 </listitem>
442
443 <listitem>
444 <para>
445 When using the VirtualBox web service to control a
446 VirtualBox host remotely, connections to the web service,
447 over which the API calls are transferred using SOAP XML, are
448 not encrypted. They use plain HTTP by default. This is a
449 potential security risk. For details about the web service,
450 see <xref linkend="VirtualBoxAPI" />.
451 </para>
452
453 <para>
454 The web services are not started by default. See
455 <xref linkend="vboxwebsrv-daemon"/> to find out how to start
456 this service and how to enable SSL/TLS support. It has to be
457 started as a regular user and only the VMs of that user can
458 be controlled. By default, the service binds to localhost
459 preventing any remote connection.
460 </para>
461 </listitem>
462
463 <listitem>
464 <para>
465 Traffic sent over a UDP Tunnel network attachment is not
466 encrypted. You can either encrypt it on the host network
467 level, with IPsec, or use encrypted protocols in the guest
468 network, such as SSH. The security properties are similar to
469 bridged Ethernet.
470 </para>
471 </listitem>
472
473 <listitem>
474 <para>
475 Because of shortcomings in older Windows versions, using
476 VirtualBox on Windows versions older than Vista with Service
477 Pack 1 is not recommended.
478 </para>
479 </listitem>
480
481 </itemizedlist>
482
483 </sect2>
484
485 <sect2 id="security-encryption">
486
487 <title>Encryption</title>
488
489 <para>
490 The following components of VirtualBox use encryption to protect
491 sensitive data:
492 </para>
493
494 <itemizedlist>
495
496 <listitem>
497 <para>
498 When using the VirtualBox extension pack provided by Oracle
499 for VRDP remote desktop support, RDP data can optionally be
500 encrypted. See <xref linkend="vrde-crypt" />. Only the
501 Enhanced RDP Security method (RDP5.2) with TLS protocol
502 provides a secure connection. Standard RDP Security (RDP4
503 and RDP5.1) is vulnerable to a man-in-the-middle attack.
504 </para>
505 </listitem>
506
507 </itemizedlist>
508
509 </sect2>
510
511 </sect1>
512
513<!--
514 <sect1 id="security-devel">
515 <title>Security Considerations for Developers</title>
516 </sect1>
517 -->
518
519</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette