Shared Clipboard gives guests too much access to the clipboard

[ivank]

The VirtualBox Shared Clipboard gives guests read or write access to the clipboard even when the window for the virtual machine is not focused. With clipboard sharing enabled, the guest can indefinitely monitor the host clipboard or replace its contents even with no recent user interaction with the VM. I believe this level of access is almost never necessary. VirtualBox could instead 1) wait for the VM window to become focused before copying the host clipboard into the VM 2) only let the VM set the host clipboard if the VM window is focused. This would drastically reduce the severity of attacks by guests that continuously sniff the host clipboard or maliciously replace its contents.

Tested: VirtualBox 5.1.14 official packages on Ubuntu 16.04.2 host, Ubuntu 16.04.2 guest

Continuously read the host clipboard, even when the VM window is not focused:

while true; do sleep 1; xclip -o; echo; done

Write the host clipboard, even when the VM window is not focused:

sleep 5; echo "rm -rf /tmp\n" | xclip -in -selection clipboard

[Socratis]

Replying to ivank:

the guest can indefinitely monitor the host clipboard

All applications have access to the clipboard at all times. VirtualBox is an application like Gedit, TextEdit or Notepad => it has access to the clipboard at all times.

or replace its contents even with no recent user interaction with the VM.

I wouldn't actually call your examples "no recent users interaction". On the contrary, you are interacting (writing) to the clipboard on purpose, just like if you were hitting Ctrl-V's all the time.

I believe this level of access is almost never necessary... This would drastically reduce the severity of attacks by guests that continuously sniff the host clipboard or maliciously replace its contents.

You have the option of not enabling the Shared Clipboard, enabling it Host->Guest, Guest->Host or Bidirectional. None of these options cover your case scenario? I mean, if I were to test a guest attack, the only thing I wouldn't enable is unrestricted access to a common read/write area of my system. I really don't believe that if the VM window has the focus or not is the most important aspect in your guest-attack testing...

1) wait for the VM window to become focused before copying the host clipboard into the VM 2) only let the VM set the host clipboard if the VM window is focused.

Do you know / can you name another application that behaves like this? I mean if you run those scripts on your Ubuntu host while the terminal does not have the focus, what's your expected result?

But, you ask a philosophical question and I admit that the bugtracker is not the place for philosophical discussions of that nature, so if you don't mind, could you open a thread in the ​Using VirtualBox section of the forums, where there are a lot more of users with a lot more (diverse) opinions about this? Thanks...

[ivank]

Thanks for your response.

Replying to socratis:

All applications have access to the clipboard at all times. VirtualBox is an application like Gedit, TextEdit or Notepad => it has access to the clipboard at all times.

Right, I'm okay with VirtualBox having access to clipboard at all times, but not the VM guest, even with bidirectional sharing enabled.

or replace its contents even with no recent user interaction with the VM.

I wouldn't actually call your examples "no recent users interaction". On the contrary, you are interacting (writing) to the clipboard on purpose, just like if you were hitting Ctrl-V's all the time.

I have several VMs running in the background, but when I'm putting things into the host clipboard it's usually not for the guest.

You have the option of not enabling the Shared Clipboard, enabling it Host->Guest, Guest->Host or Bidirectional. None of these options cover your case scenario?

Right, but the idea is to have the convenience of clipboard sharing enabled without actually sharing the clipboard with the guest unless you're actually working with the guest. Toggling clipboard sharing on and off can be pretty tedious.

1) wait for the VM window to become focused before copying the host clipboard into the VM 2) only let the VM set the host clipboard if the VM window is focused.

Do you know / can you name another application that behaves like this? I mean if you run those scripts on your Ubuntu host while the terminal does not have the focus, what's your expected result?

I'm okay with host applications in the same X session being able to sniff the clipboard because I know X has no real security and I account for that. But virtual machines provide both the opportunity and (often) expectation for more security than "clipboard free-for-all", especially when they're running less-trusted applications or operating systems.

VMware Workstation waits for the guest to be focused before copying in the host clipboard. So the VirtualBox behavior can be a little unexpected for ex-VMware users.

[JohnBP]

This may be causing a problem I am seeing: With Virtualbox running, some applications periodically report "Cannot open clipboard" this can cause Solidworks to crash. With Virtualbox shut down, clipboard works normally on host system.

[Socratis]

Replying to JohnBP:

This may be causing a problem I am seeing

The OP made a suggestion about the clipboard not being available at all times, as an option. I don't see how a suggestion is the same issue as a 3rd party application crash due to the clipboard contents. Just because it has the common word "clipboard" in the ticket description?

IMHO you should look harder for a more appropriate ticket.

[Bondi]

I absolutely agree with the original poster.

VirtualBox should only have access to the host clipboard while its window is focused.

In my case, I use the Virtualbox as a semi-trusted sandbox. I do need to copy text to the guest every day. However I don't feel comfortable with it having access to all the passwords that hit the host clipboard. And it is very tiresome to always enable/disable the bi-directional clipboard.

I understand that the "bidirectional only when window focused" / "host to guest only when window focused" is not a sure-proof thing. But it's not meant to be either, it's a good compromise, and would be nice and comfortable in practice.

[Michael Thayer]

On Linux hosts this should go away with the switch to Wayland and xwayland, as they already limit clipboard access to the window with the input focus. I do not know about other hosts.