VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 91099

Last change on this file since 91099 was 87077, checked in by vboxsync, 4 years ago

doc/manual: Integrate a collection of documentation improvements: sensitive terminology, diversity statement, clear messaging on what is eligible for enterprise support, OCI integration docs, export to OCI and incorrect UI doc referring to host-only networking when that place allows configuring NAT Networks
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 26.4 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="Security">
8
9 <title>Security Guide</title>
10
11 <sect1 id="security-general">
12
13 <title>General Security Principles</title>
14
15 <para>
16 The following principles are fundamental to using any application
17 securely.
18 </para>
19
20 <itemizedlist>
21
22 <listitem>
23 <para>
24 <emphasis role="bold">Keep software up to date</emphasis>. One
25 of the principles of good security practise is to keep all
26 software versions and patches up to date. Activate the
27 &product-name; update notification to get notified when a new
28 &product-name; release is available. When updating
29 &product-name;, do not forget to update the Guest Additions.
30 Keep the host operating system as well as the guest operating
31 system up to date.
32 </para>
33 </listitem>
34
35 <listitem>
36 <para>
37 <emphasis role="bold">Restrict network access to critical
38 services.</emphasis> Use proper means, for instance a
39 firewall, to protect your computer and your guests from
40 accesses from the outside. Choosing the proper networking mode
41 for VMs helps to separate host networking from the guest and
42 vice versa.
43 </para>
44 </listitem>
45
46 <listitem>
47 <para>
48 <emphasis role="bold">Follow the principle of least
49 privilege.</emphasis> The principle of least privilege states
50 that users should be given the least amount of privilege
51 necessary to perform their jobs. Always execute &product-name;
52 as a regular user. We strongly discourage anyone from
53 executing &product-name; with system privileges.
54 </para>
55
56 <para>
57 Choose restrictive permissions when creating configuration
58 files, for instance when creating /etc/default/virtualbox, see
59 <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
60 </para>
61 </listitem>
62
63 <listitem>
64 <para>
65 <emphasis role="bold">Monitor system activity.</emphasis>
66 System security builds on three pillars: good security
67 protocols, proper system configuration and system monitoring.
68 Auditing and reviewing audit records address the third
69 requirement. Each component within a system has some degree of
70 monitoring capability. Follow audit advice in this document
71 and regularly monitor audit records.
72 </para>
73 </listitem>
74
75 <listitem>
76 <para>
77 <emphasis role="bold">Keep up to date on latest security
78 information.</emphasis> Oracle continually improves its
79 software and documentation. Check this note yearly for
80 revisions.
81 </para>
82 </listitem>
83
84 </itemizedlist>
85
86 </sect1>
87
88 <sect1 id="security-secure-install">
89
90 <title>Secure Installation and Configuration</title>
91
92 <sect2 id="security-secure-install-overview">
93
94 <title>Installation Overview</title>
95
96 <para>
97 The &product-name; base package should be downloaded only from a
98 trusted source, for instance the official website
99 <ulink url="http://www.virtualbox.org" />. The integrity of the
100 package should be verified with the provided SHA256 checksum
101 which can be found on the official website.
102 </para>
103
104 <para>
105 General &product-name; installation instructions for the
106 supported hosts can be found in <xref linkend="installation"/>.
107 </para>
108
109 <para>
110 On Windows hosts, the installer can be used to disable USB
111 support, support for bridged networking, support for host-only
112 networking and the Python language binding. See
113 <xref linkend="installation_windows"/>. All these features are
114 enabled by default but disabling some of them could be
115 appropriate if the corresponding functionality is not required
116 by any virtual machine. The Python language bindings are only
117 required if the &product-name; API is to be used by external
118 Python applications. In particular USB support and support for
119 the two networking modes require the installation of Windows
120 kernel drivers on the host. Therefore disabling those selected
121 features can not only be used to restrict the user to certain
122 functionality but also to minimize the surface provided to a
123 potential attacker.
124 </para>
125
126 <para>
127 The general case is to install the complete &product-name;
128 package. The installation must be done with system privileges.
129 All &product-name; binaries should be executed as a regular user
130 and never as a privileged user.
131 </para>
132
133 <para>
134 The &product-name; Extension Pack provides additional features
135 and must be downloaded and installed separately, see
136 <xref linkend="intro-installing"/>. As for the base package, the
137 SHA256 checksum of the extension pack should be verified. As the
138 installation requires system privileges, &product-name; will ask
139 for the system password during the installation of the extension
140 pack.
141 </para>
142
143 </sect2>
144
145 <sect2 id="security-secure-install-postinstall">
146
147 <title>Post Installation Configuration</title>
148
149 <para>
150 Normally there is no post installation configuration of
151 &product-name; components required. However, on Oracle Solaris
152 and Linux hosts it is necessary to configure the proper
153 permissions for users executing VMs and who should be able to
154 access certain host resources. For instance, Linux users must be
155 member of the <emphasis>vboxusers</emphasis> group to be able to
156 pass USB devices to a guest. If a serial host interface should
157 be accessed from a VM, the proper permissions must be granted to
158 the user to be able to access that device. The same applies to
159 other resources like raw partitions, DVD/CD drives, and sound
160 devices.
161 </para>
162
163 </sect2>
164
165 </sect1>
166
167 <sect1 id="security-features">
168
169 <title>Security Features</title>
170
171 <para>
172 This section outlines the specific security mechanisms offered by
173 &product-name;.
174 </para>
175
176 <sect2 id="security-model">
177
178 <title>The Security Model</title>
179
180 <para>
181 One property of virtual machine monitors (VMMs) like
182 &product-name; is to encapsulate a guest by executing it in a
183 protected environment, a virtual machine, running as a user
184 process on the host operating system. The guest cannot
185 communicate directly with the hardware or other computers but
186 only through the VMM. The VMM provides emulated physical
187 resources and devices to the guest which are accessed by the
188 guest operating system to perform the required tasks. The VM
189 settings control the resources provided to the guest, for
190 example the amount of guest memory or the number of guest
191 processors and the enabled features for that guest. For example
192 remote control, certain screen settings and others. See
193 <xref linkend="generalsettings"/>.
194 </para>
195
196 </sect2>
197
198 <sect2 id="secure-config-vms">
199
200 <title>Secure Configuration of Virtual Machines</title>
201
202 <para>
203 Several aspects of a virtual machine configuration are subject
204 to security considerations.
205 </para>
206
207 <sect3 id="security-networking">
208
209 <title>Networking</title>
210
211 <para>
212 The default networking mode for VMs is NAT which means that
213 the VM acts like a computer behind a router, see
214 <xref linkend="network_nat"/>. The guest is part of a private
215 subnet belonging to this VM and the guest IP is not visible
216 from the outside. This networking mode works without any
217 additional setup and is sufficient for many purposes. Keep in
218 mind that NAT allows access to the host operating system's
219 loopback interface.
220 </para>
221
222 <para>
223 If bridged networking is used, the VM acts like a computer
224 inside the same network as the host, see
225 <xref linkend="network_bridged"/>. In this case, the guest has
226 the same network access as the host and a firewall might be
227 necessary to protect other computers on the subnet from a
228 potential malicious guest as well as to protect the guest from
229 a direct access from other computers. In some cases it is
230 worth considering using a forwarding rule for a specific port
231 in NAT mode instead of using bridged networking.
232 </para>
233
234 <para>
235 Some setups do not require a VM to be connected to the public
236 network at all. Internal networking, see
237 <xref linkend="network_internal"/>, or host-only networking,
238 see <xref linkend="network_hostonly"/>, are often sufficient
239 to connect VMs among each other or to connect VMs only with
240 the host but not with the public network.
241 </para>
242
243 </sect3>
244
245 <sect3 id="security-vrdp-auth">
246
247 <title>VRDP Remote Desktop Authentication</title>
248
249 <para>
250 When using the &product-name; Extension Pack provided by
251 Oracle for VRDP remote desktop support, you can optionally use
252 various methods to configure RDP authentication. The "null"
253 method is very insecure and should be avoided in a public
254 network. See <xref linkend="vbox-auth" />.
255 </para>
256
257 </sect3>
258
259 <sect3 id="security_clipboard">
260
261 <title>Clipboard</title>
262
263 <para>
264 The shared clipboard enables users to share data between the
265 host and the guest. Enabling the clipboard in Bidirectional
266 mode enables the guest to read and write the host clipboard.
267 The Host to Guest mode and the Guest to Host mode limit the
268 access to one direction. If the guest is able to access the
269 host clipboard it can also potentially access sensitive data
270 from the host which is shared over the clipboard.
271 </para>
272
273 <para>
274 If the guest is able to read from and/or write to the host
275 clipboard then a remote user connecting to the guest over the
276 network will also gain this ability, which may not be
277 desirable. As a consequence, the shared clipboard is disabled
278 for new machines.
279 </para>
280
281 </sect3>
282
283 <sect3 id="security-shared-folders">
284
285 <title>Shared Folders</title>
286
287 <para>
288 If any host folder is shared with the guest then a remote user
289 connected to the guest over the network can access these files
290 too as the folder sharing mechanism cannot be selectively
291 disabled for remote users.
292 </para>
293
294 </sect3>
295
296 <sect3 id="security-3d-graphics">
297
298 <title>3D Graphics Acceleration</title>
299
300 <para>
301 Enabling 3D graphics using the Guest Additions exposes the
302 host to additional security risks. See
303 <xref
304 linkend="guestadd-3d" />.
305 </para>
306
307 </sect3>
308
309 <sect3 id="security-cd-dvd-passthrough">
310
311 <title>CD/DVD Passthrough</title>
312
313 <para>
314 Enabling CD/DVD passthrough enables the guest to perform
315 advanced operations on the CD/DVD drive, see
316 <xref linkend="storage-cds"/>. This could induce a security
317 risk as a guest could overwrite data on a CD/DVD medium.
318 </para>
319
320 </sect3>
321
322 <sect3 id="security-usb-passthrough">
323
324 <title>USB Passthrough</title>
325
326 <para>
327 Passing USB devices to the guest provides the guest full
328 access to these devices, see <xref linkend="settings-usb"/>.
329 For instance, in addition to reading and writing the content
330 of the partitions of an external USB disk the guest will be
331 also able to read and write the partition table and hardware
332 data of that disk.
333 </para>
334
335 </sect3>
336
337 </sect2>
338
339 <sect2 id="auth-config-using">
340
341 <title>Configuring and Using Authentication</title>
342
343 <para>
344 The following components of &product-name; can use passwords for
345 authentication:
346 </para>
347
348 <itemizedlist>
349
350 <listitem>
351 <para>
352 When using remote iSCSI storage and the storage server
353 requires authentication, an initiator secret can optionally
354 be supplied with the <command>VBoxManage
355 storageattach</command> command. As long as no settings
356 password is provided, by using the command line option
357 <option>--settingspwfile</option>, then this secret is
358 stored <emphasis>unencrypted</emphasis> in the machine
359 configuration and is therefore potentially readable on the
360 host. See <xref linkend="storage-iscsi" /> and
361 <xref linkend="vboxmanage-storageattach" />.
362 </para>
363 </listitem>
364
365 <listitem>
366 <para>
367 When using the &product-name; web service to control an
368 &product-name; host remotely, connections to the web service
369 are authenticated in various ways. This is described in
370 detail in the &product-name; Software Development Kit (SDK)
371 reference. See <xref linkend="VirtualBoxAPI" />.
372 </para>
373 </listitem>
374
375 </itemizedlist>
376
377 </sect2>
378
379<!--
380 <sect2 id="access-control-config-using">
381 <title>Configuring and Using Access Control</title>
382 </sect2>
383
384 <sect2 id="security-audit-config-using">
385 <title>Configuring and Using Security Audit</title>
386 </sect2>
387
388 <sect2 id="security-other-features-config-using">
389 <title>Configuring and Using Other Security Features</title>
390 </sect2>
391 -->
392
393 <sect2 id="pot-insecure">
394
395 <title>Potentially Insecure Operations</title>
396
397 <para>
398 The following features of &product-name; can present security
399 problems:
400 </para>
401
402 <itemizedlist>
403
404 <listitem>
405 <para>
406 Enabling 3D graphics using the Guest Additions exposes the
407 host to additional security risks. See
408 <xref
409 linkend="guestadd-3d" />.
410 </para>
411 </listitem>
412
413 <listitem>
414 <para>
415 When teleporting a machine, the data stream through which
416 the machine's memory contents are transferred from one host
417 to another is not encrypted. A third party with access to
418 the network through which the data is transferred could
419 therefore intercept that data. An SSH tunnel could be used
420 to secure the connection between the two hosts. But when
421 considering teleporting a VM over an untrusted network the
422 first question to answer is how both VMs can securely access
423 the same virtual disk image with a reasonable performance.
424 </para>
425 </listitem>
426
427 <listitem>
428 <para>
429 When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
430 is enabled, it is possible that a side-channel opens up that
431 enables a malicious guest to determine the address space of
432 another VM running on the same host layout. For example,
433 where DLLs are typically loaded. This information leak in
434 itself is harmless, however the malicious guest may use it
435 to optimize attack against that VM through unrelated attack
436 vectors. It is recommended to only enable Page Fusion if you
437 do not think this is a concern in your setup.
438 </para>
439 </listitem>
440
441 <listitem>
442 <para>
443 When using the &product-name; web service to control an
444 &product-name; host remotely, connections to the web
445 service, over which the API calls are transferred using SOAP
446 XML, are not encrypted. They use plain HTTP by default. This
447 is a potential security risk. For details about the web
448 service, see <xref linkend="VirtualBoxAPI" />.
449 </para>
450
451 <para>
452 The web services are not started by default. See
453 <xref linkend="vboxwebsrv-daemon"/> to find out how to start
454 this service and how to enable SSL/TLS support. It has to be
455 started as a regular user and only the VMs of that user can
456 be controlled. By default, the service binds to localhost
457 preventing any remote connection.
458 </para>
459 </listitem>
460
461 <listitem>
462 <para>
463 Traffic sent over a UDP Tunnel network attachment is not
464 encrypted. You can either encrypt it on the host network
465 level, with IPsec, or use encrypted protocols in the guest
466 network, such as SSH. The security properties are similar to
467 bridged Ethernet.
468 </para>
469 </listitem>
470
471 <listitem>
472 <para>
473 Because of shortcomings in older Windows versions, using
474 &product-name; on Windows versions older than Vista with
475 Service Pack 1 is not recommended.
476 </para>
477 </listitem>
478
479 </itemizedlist>
480
481 </sect2>
482
483 <sect2 id="security-encryption">
484
485 <title>Encryption</title>
486
487 <para>
488 The following components of &product-name; use encryption to
489 protect sensitive data:
490 </para>
491
492 <itemizedlist>
493
494 <listitem>
495 <para>
496 When using the &product-name; Extension Pack provided by
497 Oracle for VRDP remote desktop support, RDP data can
498 optionally be encrypted. See <xref linkend="vrde-crypt" />.
499 Only the Enhanced RDP Security method (RDP5.2) with TLS
500 protocol provides a secure connection. Standard RDP Security
501 (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
502 attack.
503 </para>
504 </listitem>
505
506 <listitem>
507 <para>
508 When using the &product-name; Extension Pack provided by
509 Oracle for disk encryption, the data stored in disk images
510 can optionally be encrypted. See
511 <xref linkend="diskencryption" />. This feature covers disk
512 image content only. All other data for a virtual machine is
513 stored unencrypted, including the VM's memory and device
514 state which is stored as part of a saved state, both when
515 created explicitly or part of a snapshot of a running VM.
516 </para>
517 </listitem>
518
519 </itemizedlist>
520
521 </sect2>
522
523 </sect1>
524
525<!--
526 <sect1 id="security-devel">
527 <title>Security Considerations for Developers</title>
528 </sect1>
529 -->
530
531 <sect1 id="security-recommendations">
532
533 <title>Security Recommendations</title>
534
535 <para>
536 This section contains security recommendations for specific
537 issues. By default VirtualBox will configure the VMs to run in a
538 secure manner, however this may not always be possible without
539 additional user actions such as host OS or firmware configuration
540 changes.
541 </para>
542
543 <sect2 id="sec-rec-cve-2018-3646">
544
545 <title>CVE-2018-3646</title>
546
547 <para>
548 This security issue affect a range of Intel CPUs with nested
549 paging. AMD CPUs are expected not to be impacted (pending direct
550 confirmation by AMD). Also the issue does not affect VMs running
551 with hardware virtualization disabled or with nested paging
552 disabled.
553 </para>
554
555 <para>
556 For more information about nested paging, see
557 <xref linkend="nestedpaging" />.
558 </para>
559
560 <para>
561 The following mitigation options are available.
562 </para>
563
564 <sect3>
565
566 <title>Disable Nested Paging</title>
567
568 <para>
569 By disabling nested paging (EPT), the VMM will construct page
570 tables shadowing the ones in the guest. It is no possible for
571 the guest to insert anything fishy into the page tables, since
572 the VMM carefully validates each entry before shadowing it.
573 </para>
574
575 <para>
576 As a side effect of disabling nested paging, several CPU
577 features will not be made available to the guest. Among these
578 features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
579 guests may be able to cope with dropping these features after
580 installation. Also, for some guests, especially in SMP
581 configurations, there could be stability issues arising from
582 disabling nested paging. Finally, some workloads may
583 experience a performance degradation.
584 </para>
585
586 </sect3>
587
588 <sect3>
589
590 <title>Flushing the Level 1 Data Cache</title>
591
592 <para>
593 This aims at removing potentially sensitive data from the
594 level 1 data cache when running guest code. However, it is
595 made difficult by hyper-threading setups sharing the level 1
596 cache and thereby potentially letting the other thread in a
597 pair refill the cache with data the user does not want the
598 guest to see. In addition, flushing the level 1 data cache is
599 usually not without performance side effects.
600 </para>
601
602 <para>
603 Up to date CPU microcode is a prerequisite for the cache
604 flushing mitigations. Some host OSes may install these
605 automatically, though it has traditionally been a task best
606 performed by the system firmware. So, please check with your
607 system / mainboard manufacturer for the latest firmware
608 update.
609 </para>
610
611 <para>
612 We recommend disabling hyper threading on the host. This is
613 traditionally done from the firmware setup, but some OSes also
614 offers ways disable HT. In some cases it may be disabled by
615 default, but please verify as the effectiveness of the
616 mitigation depends on it.
617 </para>
618
619 <para>
620 The default action taken by VirtualBox is to flush the level 1
621 data cache when a thread is scheduled to execute guest code,
622 rather than on each VM entry. This reduces the performance
623 impact, while making the assumption that the host OS will not
624 handle security sensitive data from interrupt handlers and
625 similar without taking precautions.
626 </para>
627
628 <para>
629 A more aggressive flushing option is provided via the
630 <command>VBoxManage modifyvm</command>
631 <option>--l1d-flush-on-vm-entry</option> option. When enabled
632 the level 1 data cache will be flushed on every VM entry. The
633 performance impact is greater than with the default option,
634 though this of course depends on the workload. Workloads
635 producing a lot of VM exits (like networking, VGA access, and
636 similiar) will probably be most impacted.
637 </para>
638
639 <para>
640 For users not concerned by this security issue, the default
641 mitigation can be disabled using the <command>VBoxManage
642 modifyvm name --l1d-flush-on-sched off</command> command.
643 </para>
644
645 </sect3>
646
647 </sect2>
648
649 <sect2 id="sec-rec-cve-2018-12126-et-al">
650
651 <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>
652
653 <para>
654 These security issues affect a range of Intel CPUs starting with
655 Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
656 Atom Airmont, and Knights family CPUs, however the scope is so
657 limited that the host OS should deal with it and &product-name;
658 is therefore not affected. Leaks only happens when entering and
659 leaving C states.
660 </para>
661
662 <para>
663 The following mitigation option is available.
664 </para>
665
666 <sect3>
667
668 <title>Buffer Overwriting and Disabling Hyper-Threading</title>
669
670 <para>
671 First, up to date CPU microcode is a prerequisite for the
672 buffer overwriting (clearing) mitigations. Some host OSes may
673 install these automatically, though it has traditionally been
674 a task best performed by the system firmware. Please check
675 with your system or mainboard manufacturer for the latest
676 firmware update.
677 </para>
678
679 <para>
680 This mitigation aims at removing potentially sensitive data
681 from the affected buffers before running guest code. Since
682 this means additional work each time the guest is scheduled,
683 there might be some performance side effects.
684 </para>
685
686 <para>
687 We recommend disabling hyper-threading (HT) on hosts affected
688 by CVE-2018-12126 and CVE-2018-12127, because the affected
689 sets of buffers are normally shared between thread pairs and
690 therefore cause leaks between the threads. This is
691 traditionally done from the firmware setup, but some OSes also
692 offers ways disable HT. In some cases it may be disabled by
693 default, but please verify as the effectiveness of the
694 mitigation depends on it.
695 </para>
696
697 <para>
698 The default action taken by &product-name; is to clear the
699 affected buffers when a thread is scheduled to execute guest
700 code, rather than on each VM entry. This reduces the
701 performance impact, while making the assumption that the host
702 OS will not handle security sensitive data from interrupt
703 handlers and similar without taking precautions.
704 </para>
705
706 <para>
707 The <command>VBoxManage modifyvm</command> command provides a
708 more aggressive flushing option is provided by means of the
709 <option>--mds-clear-on-vm-entry</option> option. When enabled
710 the affected buffers will be cleared on every VM entry. The
711 performance impact is greater than with the default option,
712 though this of course depends on the workload. Workloads
713 producing a lot of VM exits (like networking, VGA access, and
714 similiar) will probably be most impacted.
715 </para>
716
717 <para>
718 For users not concerned by this security issue, the default
719 mitigation can be disabled using the <command>VBoxManage
720 modifyvm name --mds-clear-on-sched off</command> command.
721 </para>
722
723 </sect3>
724
725 </sect2>
726
727 </sect1>
728
729</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette