1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4 | <!ENTITY % all.entities SYSTEM "all-entities.ent">
5 | %all.entities;
6 | ]>
7 | <chapter id="Security">
8 |
9 | <title>Security Guide</title>
10 |
11 | <sect1 id="security-general">
12 |
13 | <title>General Security Principles</title>
14 |
15 | <para>
16 | The following principles are fundamental to using any application
17 | securely.
18 | </para>
19 |
20 | <itemizedlist>
21 |
22 | <listitem>
23 | <para>
24 | <emphasis role="strong">Keep software up to date</emphasis>.
25 | One of the principles of good security practise is to keep all
26 | software versions and patches up to date. Activate the
27 | &product-name; update notification to get notified when a new
28 | &product-name; release is available. When updating
29 | &product-name;, do not forget to update the Guest Additions.
30 | Keep the host operating system as well as the guest operating
31 | system up to date.
32 | </para>
33 | </listitem>
34 |
35 | <listitem>
36 | <para>
37 | <emphasis role="strong">Restrict network access to critical
38 | services.</emphasis> Use proper means, for instance a
39 | firewall, to protect your computer and your guests from
40 | accesses from the outside. Choosing the proper networking mode
41 | for VMs helps to separate host networking from the guest and
42 | vice versa.
43 | </para>
44 | </listitem>
45 |
46 | <listitem>
47 | <para>
48 | <emphasis role="strong">Follow the principle of least
49 | privilege.</emphasis> The principle of least privilege states
50 | that users should be given the least amount of privilege
51 | necessary to perform their jobs. Always execute &product-name;
52 | as a regular user. We strongly discourage anyone from
53 | executing &product-name; with system privileges.
54 | </para>
55 |
56 | <para>
57 | Choose restrictive permissions when creating configuration
58 | files, for instance when creating /etc/default/virtualbox, see
59 | <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
60 | </para>
61 | </listitem>
62 |
63 | <listitem>
64 | <para>
65 | <emphasis role="strong"> Monitor system activity.</emphasis>
66 | System security builds on three pillars: good security
67 | protocols, proper system configuration and system monitoring.
68 | Auditing and reviewing audit records address the third
69 | requirement. Each component within a system has some degree of
70 | monitoring capability. Follow audit advice in this document
71 | and regularly monitor audit records.
72 | </para>
73 | </listitem>
74 |
75 | <listitem>
76 | <para>
77 | <emphasis role="strong">Keep up to date on latest security
78 | information.</emphasis> Oracle continually improves its
79 | software and documentation. Check this note yearly for
80 | revisions.
81 | </para>
82 | </listitem>
83 |
84 | </itemizedlist>
85 |
86 | </sect1>
87 |
88 | <sect1 id="security-secure-install">
89 |
90 | <title>Secure Installation and Configuration</title>
91 |
92 | <sect2 id="security-secure-install-overview">
93 |
94 | <title>Installation Overview</title>
95 |
96 | <para>
97 | The &product-name; base package should be downloaded only from a
98 | trusted source, for instance the official website
99 | <ulink url="http://www.alldomusa.eu.org">http://www.alldomusa.eu.org</ulink>.
100 | The integrity of the package should be verified with the
101 | provided SHA256 checksum which can be found on the official
102 | website.
103 | </para>
104 |
105 | <para>
106 | General &product-name; installation instructions for the
107 | supported hosts can be found in <xref linkend="installation"/>.
108 | </para>
109 |
110 | <para>
111 | On Windows hosts, the installer can be used to disable USB
112 | support, support for bridged networking, support for host-only
113 | networking and the Python language binding. See
114 | <xref linkend="installation_windows"/>. All these features are
115 | enabled by default but disabling some of them could be
116 | appropriate if the corresponding functionality is not required
117 | by any virtual machine. The Python language bindings are only
118 | required if the &product-name; API is to be used by external
119 | Python applications. In particular USB support and support for
120 | the two networking modes require the installation of Windows
121 | kernel drivers on the host. Therefore disabling those selected
122 | features can not only be used to restrict the user to certain
123 | functionality but also to minimize the surface provided to a
124 | potential attacker.
125 | </para>
126 |
127 | <para>
128 | The general case is to install the complete &product-name;
129 | package. The installation must be done with system privileges.
130 | All &product-name; binaries should be executed as a regular user
131 | and never as a privileged user.
132 | </para>
133 |
134 | <para>
135 | The &product-name; Extension Pack provides additional features
136 | and must be downloaded and installed separately, see
137 | <xref linkend="intro-installing"/>. As for the base package, the
138 | SHA256 checksum of the extension pack should be verified. As the
139 | installation requires system privileges, &product-name; will ask
140 | for the system password during the installation of the extension
141 | pack.
142 | </para>
143 |
144 | </sect2>
145 |
146 | <sect2 id="security-secure-install-postinstall">
147 |
148 | <title>Post Installation Configuration</title>
149 |
150 | <para>
151 | Normally there is no post installation configuration of
152 | &product-name; components required. However, on Oracle Solaris
153 | and Linux hosts it is necessary to configure the proper
154 | permissions for users executing VMs and who should be able to
155 | access certain host resources. For instance, Linux users must be
156 | member of the <emphasis>vboxusers</emphasis> group to be able to
157 | pass USB devices to a guest. If a serial host interface should
158 | be accessed from a VM, the proper permissions must be granted to
159 | the user to be able to access that device. The same applies to
160 | other resources like raw partitions, DVD/CD drives, and sound
161 | devices.
162 | </para>
163 |
164 | </sect2>
165 |
166 | </sect1>
167 |
168 | <sect1 id="security-features">
169 |
170 | <title>Security Features</title>
171 |
172 | <para>
173 | This section outlines the specific security mechanisms offered by
174 | &product-name;.
175 | </para>
176 |
177 | <sect2 id="security-model">
178 |
179 | <title>The Security Model</title>
180 |
181 | <para>
182 | One property of virtual machine monitors (VMMs) like
183 | &product-name; is to encapsulate a guest by executing it in a
184 | protected environment, a virtual machine, running as a user
185 | process on the host operating system. The guest cannot
186 | communicate directly with the hardware or other computers but
187 | only through the VMM. The VMM provides emulated physical
188 | resources and devices to the guest which are accessed by the
189 | guest operating system to perform the required tasks. The VM
190 | settings control the resources provided to the guest, for
191 | example the amount of guest memory or the number of guest
192 | processors and the enabled features for that guest. For example
193 | remote control, certain screen settings and others. See
194 | <xref linkend="generalsettings"/>.
195 | </para>
196 |
197 | </sect2>
198 |
199 | <sect2 id="secure-config-vms">
200 |
201 | <title>Secure Configuration of Virtual Machines</title>
202 |
203 | <para>
204 | Several aspects of a virtual machine configuration are subject
205 | to security considerations.
206 | </para>
207 |
208 | <sect3 id="security-networking">
209 |
210 | <title>Networking</title>
211 |
212 | <para>
213 | The default networking mode for VMs is NAT which means that
214 | the VM acts like a computer behind a router, see
215 | <xref linkend="network_nat"/>. The guest is part of a private
216 | subnet belonging to this VM and the guest IP is not visible
217 | from the outside. This networking mode works without any
218 | additional setup and is sufficient for many purposes.
219 | </para>
220 |
221 | <para>
222 | If bridged networking is used, the VM acts like a computer
223 | inside the same network as the host, see
224 | <xref linkend="network_bridged"/>. In this case, the guest has
225 | the same network access as the host and a firewall might be
226 | necessary to protect other computers on the subnet from a
227 | potential malicious guest as well as to protect the guest from
228 | a direct access from other computers. In some cases it is
229 | worth considering using a forwarding rule for a specific port
230 | in NAT mode instead of using bridged networking.
231 | </para>
232 |
233 | <para>
234 | Some setups do not require a VM to be connected to the public
235 | network at all. Internal networking, see
236 | <xref linkend="network_internal"/>, or host-only networking,
237 | see <xref linkend="network_hostonly"/>, are often sufficient
238 | to connect VMs among each other or to connect VMs only with
239 | the host but not with the public network.
240 | </para>
241 |
242 | </sect3>
243 |
244 | <sect3 id="security-vrdp-auth">
245 |
246 | <title>VRDP Remote Desktop Authentication</title>
247 |
248 | <para>
249 | When using the &product-name; Extension Pack provided by
250 | Oracle for VRDP remote desktop support, you can optionally use
251 | various methods to configure RDP authentication. The "null"
252 | method is very insecure and should be avoided in a public
253 | network. See <xref linkend="vbox-auth" />.
254 | </para>
255 |
256 | </sect3>
257 |
258 | <sect3 id="security_clipboard">
259 |
260 | <title>Clipboard</title>
261 |
262 | <para>
263 | The shared clipboard enables users to share data between the
264 | host and the guest. Enabling the clipboard in Bidirectional
265 | mode enables the guest to read and write the host clipboard.
266 | The Host to Guest mode and the Guest to Host mode limit the
267 | access to one direction. If the guest is able to access the
268 | host clipboard it can also potentially access sensitive data
269 | from the host which is shared over the clipboard.
270 | </para>
271 |
272 | <para>
273 | If the guest is able to read from and/or write to the host
274 | clipboard then a remote user connecting to the guest over the
275 | network will also gain this ability, which may not be
276 | desirable. As a consequence, the shared clipboard is disabled
277 | for new machines.
278 | </para>
279 |
280 | </sect3>
281 |
282 | <sect3 id="security-shared-folders">
283 |
284 | <title>Shared Folders</title>
285 |
286 | <para>
287 | If any host folder is shared with the guest then a remote user
288 | connected to the guest over the network can access these files
289 | too as the folder sharing mechanism cannot be selectively
290 | disabled for remote users.
291 | </para>
292 |
293 | </sect3>
294 |
295 | <sect3 id="security-3d-graphics">
296 |
297 | <title>3D Graphics Acceleration</title>
298 |
299 | <para>
300 | Enabling 3D graphics using the Guest Additions exposes the
301 | host to additional security risks. See
302 | <xref
303 | linkend="guestadd-3d" />.
304 | </para>
305 |
306 | </sect3>
307 |
308 | <sect3 id="security-cd-dvd-passthrough">
309 |
310 | <title>CD/DVD Passthrough</title>
311 |
312 | <para>
313 | Enabling CD/DVD passthrough enables the guest to perform
314 | advanced operations on the CD/DVD drive, see
315 | <xref linkend="storage-cds"/>. This could induce a security
316 | risk as a guest could overwrite data on a CD/DVD medium.
317 | </para>
318 |
319 | </sect3>
320 |
321 | <sect3 id="security-usb-passthrough">
322 |
323 | <title>USB Passthrough</title>
324 |
325 | <para>
326 | Passing USB devices to the guest provides the guest full
327 | access to these devices, see <xref linkend="settings-usb"/>.
328 | For instance, in addition to reading and writing the content
329 | of the partitions of an external USB disk the guest will be
330 | also able to read and write the partition table and hardware
331 | data of that disk.
332 | </para>
333 |
334 | </sect3>
335 |
336 | </sect2>
337 |
338 | <sect2 id="auth-config-using">
339 |
340 | <title>Configuring and Using Authentication</title>
341 |
342 | <para>
343 | The following components of &product-name; can use passwords for
344 | authentication:
345 | </para>
346 |
347 | <itemizedlist>
348 |
349 | <listitem>
350 | <para>
351 | When using remote iSCSI storage and the storage server
352 | requires authentication, an initiator secret can optionally
353 | be supplied with the <command>VBoxManage
354 | storageattach</command> command. As long as no settings
355 | password is provided, by using the command line option
356 | <option>--settingspwfile</option>, then this secret is
357 | stored <emphasis>unencrypted</emphasis> in the machine
358 | configuration and is therefore potentially readable on the
359 | host. See <xref linkend="storage-iscsi" /> and
360 | <xref linkend="vboxmanage-storageattach" />.
361 | </para>
362 | </listitem>
363 |
364 | <listitem>
365 | <para>
366 | When using the &product-name; web service to control an
367 | &product-name; host remotely, connections to the web service
368 | are authenticated in various ways. This is described in
369 | detail in the &product-name; Software Development Kit (SDK)
370 | reference. See <xref linkend="VirtualBoxAPI" />.
371 | </para>
372 | </listitem>
373 |
374 | </itemizedlist>
375 |
376 | </sect2>
377 |
378 | <!--
379 | <sect2 id="access-control-config-using">
380 | <title>Configuring and Using Access Control</title>
381 | </sect2>
382 |
383 | <sect2 id="security-audit-config-using">
384 | <title>Configuring and Using Security Audit</title>
385 | </sect2>
386 |
387 | <sect2 id="security-other-features-config-using">
388 | <title>Configuring and Using Other Security Features</title>
389 | </sect2>
390 | -->
391 |
392 | <sect2 id="pot-insecure">
393 |
394 | <title>Potentially Insecure Operations</title>
395 |
396 | <para>
397 | The following features of &product-name; can present security
398 | problems:
399 | </para>
400 |
401 | <itemizedlist>
402 |
403 | <listitem>
404 | <para>
405 | Enabling 3D graphics using the Guest Additions exposes the
406 | host to additional security risks. See
407 | <xref
408 | linkend="guestadd-3d" />.
409 | </para>
410 | </listitem>
411 |
412 | <listitem>
413 | <para>
414 | When teleporting a machine, the data stream through which
415 | the machine's memory contents are transferred from one host
416 | to another is not encrypted. A third party with access to
417 | the network through which the data is transferred could
418 | therefore intercept that data. An SSH tunnel could be used
419 | to secure the connection between the two hosts. But when
420 | considering teleporting a VM over an untrusted network the
421 | first question to answer is how both VMs can securely access
422 | the same virtual disk image with a reasonable performance.
423 | </para>
424 | </listitem>
425 |
426 | <listitem>
427 | <para>
428 | When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
429 | is enabled, it is possible that a side-channel opens up that
430 | enables a malicious guest to determine the address space of
431 | another VM running on the same host layout. For example,
432 | where DLLs are typically loaded. This information leak in
433 | itself is harmless, however the malicious guest may use it
434 | to optimize attack against that VM through unrelated attack
435 | vectors. It is recommended to only enable Page Fusion if you
436 | do not think this is a concern in your setup.
437 | </para>
438 | </listitem>
439 |
440 | <listitem>
441 | <para>
442 | When using the &product-name; web service to control an
443 | &product-name; host remotely, connections to the web
444 | service, over which the API calls are transferred using SOAP
445 | XML, are not encrypted. They use plain HTTP by default. This
446 | is a potential security risk. For details about the web
447 | service, see <xref linkend="VirtualBoxAPI" />.
448 | </para>
449 |
450 | <para>
451 | The web services are not started by default. See
452 | <xref linkend="vboxwebsrv-daemon"/> to find out how to start
453 | this service and how to enable SSL/TLS support. It has to be
454 | started as a regular user and only the VMs of that user can
455 | be controlled. By default, the service binds to localhost
456 | preventing any remote connection.
457 | </para>
458 | </listitem>
459 |
460 | <listitem>
461 | <para>
462 | Traffic sent over a UDP Tunnel network attachment is not
463 | encrypted. You can either encrypt it on the host network
464 | level, with IPsec, or use encrypted protocols in the guest
465 | network, such as SSH. The security properties are similar to
466 | bridged Ethernet.
467 | </para>
468 | </listitem>
469 |
470 | <listitem>
471 | <para>
472 | Because of shortcomings in older Windows versions, using
473 | &product-name; on Windows versions older than Vista with
474 | Service Pack 1 is not recommended.
475 | </para>
476 | </listitem>
477 |
478 | </itemizedlist>
479 |
480 | </sect2>
481 |
482 | <sect2 id="security-encryption">
483 |
484 | <title>Encryption</title>
485 |
486 | <para>
487 | The following components of &product-name; use encryption to
488 | protect sensitive data:
489 | </para>
490 |
491 | <itemizedlist>
492 |
493 | <listitem>
494 | <para>
495 | When using the &product-name; Extension Pack provided by
496 | Oracle for VRDP remote desktop support, RDP data can
497 | optionally be encrypted. See <xref linkend="vrde-crypt" />.
498 | Only the Enhanced RDP Security method (RDP5.2) with TLS
499 | protocol provides a secure connection. Standard RDP Security
500 | (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
501 | attack.
502 | </para>
503 | </listitem>
504 |
505 | <listitem>
506 | <para>
507 | When using the &product-name; Extension Pack provided by
508 | Oracle for disk encryption, the data stored in disk images can
509 | optionally be encrypted. See <xref linkend="diskencryption" />.
510 | This feature covers disk image content only. All other data
511 | for a virtual machine is stored unencrypted, including the VM's
512 | memory and device state which is stored as part of a saved
513 | state, both when created explicitly or part of a snapshot of a
514 | running VM.
515 | </para>
516 | </listitem>
517 |
518 | </itemizedlist>
519 |
520 | </sect2>
521 |
522 | </sect1>
523 |
524 | <!--
525 | <sect1 id="security-devel">
526 | <title>Security Considerations for Developers</title>
527 | </sect1>
528 | -->
529 |
530 | <sect1 id="security-recommendations">
531 |
532 | <title>Security Recommendations</title>
533 |
534 | <para>
535 | This section contains security recommendations for specific
536 | issues. By default VirtualBox will configure the VMs to run in a
537 | secure manner, however this may not always be possible without
538 | additional user actions (e.g. host OS / firmware configuration
539 | changes).
540 | </para>
541 |
542 | <sect2 id="sec-rec-cve-2018-3646">
543 |
544 | <title>CVE-2018-3646</title>
545 |
546 | <para>
547 | This security issue affect a range of Intel CPUs with nested
548 | paging. AMD CPUs are expected not to be impacted (pending direct
549 | confirmation by AMD). Also the issue does not affect VMs running
550 | with hardware virtualization disabled or with nested paging
551 | disabled.
552 | </para>
553 |
554 | <para>
555 | For more information about nested paging, see
556 | <xref linkend="nestedpaging" />.
557 | </para>
558 |
559 | <para>
560 | Mitigation options:
561 | </para>
562 |
563 | <sect3>
564 |
565 | <title>Disable nested paging</title>
566 |
567 | <para>
568 | By disabling nested paging (EPT), the VMM will construct page
569 | tables shadowing the ones in the guest. It is no possible for
570 | the guest to insert anything fishy into the page tables, since
571 | the VMM carefully validates each entry before shadowing it.
572 | </para>
573 |
574 | <para>
575 | As a side effect of disabling nested paging, several CPU
576 | features will not be made available to the guest. Among these
577 | features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
578 | guests may be able to cope with dropping these features after
579 | installation. Also, for some guests, especially in SMP
580 | configurations, there could be stability issues arrising from
581 | disabling nested paging. Finally, some workloads may
582 | experience a performance degradation.
583 | </para>
584 |
585 | </sect3>
586 |
587 | <sect3>
588 |
589 | <title>Flushing the level 1 data cache</title>
590 |
591 | <para>
592 | This aims at removing potentially sensitive data from the
593 | level 1 data cache when running guest code. However, it is
594 | made difficult by hyper-threading setups sharing the level 1
595 | cache and thereby potentially letting the other thread in a
596 | pair refill the cache with data the user does not want the
597 | guest to see. In addition, flushing the level 1 data cache is
598 | usually not without performance side effects.
599 | </para>
600 |
601 | <para>
602 | Up to date CPU microcode is a prerequisite for the cache
603 | flushing mitigations. Some host OSes may install these
604 | automatically, though it has traditionally been a task best
605 | performed by the system firmware. So, please check with your
606 | system / mainboard manufacturer for the latest firmware
607 | update.
608 | </para>
609 |
610 | <para>
611 | We recommend disabling hyper threading on the host. This is
612 | traditionally done from the firmware setup, but some OSes also
613 | offers ways disable HT. In some cases it may be disabled by
614 | default, but please verify as the effectiveness of the
615 | mitigation depends on it.
616 | </para>
617 |
618 | <para>
619 | The default action taken by VirtualBox is to flush the level 1
620 | data cache when a thread is scheduled to execute guest code,
621 | rather than on each VM entry. This reduces the performance
622 | impact, while making the assumption that the host OS will not
623 | handle security sensitive data from interrupt handlers and
624 | similar without taking precautions.
625 | </para>
626 |
627 | <para>
628 | A more aggressive flushing option is provided via the
629 | VBoxManage modifyvm option
630 | <computeroutput>--l1d-flush-on-vm-entry</computeroutput>. When
631 | enabled the level 1 data cache will be flushed on every VM
632 | entry. The performance impact is greater than with the default
633 | option, though this of course depends on the workload.
634 | Workloads producing a lot of VM exits (like networking, VGA
635 | access, and similiar) will probably be most impacted.
636 | </para>
637 |
638 | <para>
639 | For users not concerned by this security issue, the default
640 | mitigation can be disabled using
641 | </para>
642 |
643 | <para>
644 | <computeroutput>VBoxManage modifyvm name --l1d-flush-on-sched
645 | off</computeroutput>
646 | </para>
647 |
648 | </sect3>
649 |
650 | </sect2>
651 |
652 | <sect2 id="sec-rec-cve-2018-12126-et-al">
653 |
654 | <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>
655 |
656 | <para>
657 | These security issues affect a range of Intel CPUs starting with
658 | Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
659 | Atom Airmont, and Knights family CPUs, however the scope is so limited
660 | that the host OS should deal with it for us and VBox therefore not
661 | be affected (leaks only happens when entering and leaving C states).
662 | </para>
663 |
664 | <para>
665 | Mitigation option:
666 | </para>
667 |
668 | <sect3>
669 |
670 | <title>Buffer overwriting and disabling HT</title>
671 |
672 | <para>
673 | First, up to date CPU microcode is a prerequisite for the buffer
674 | overwriting (clearing) mitigations. Some host OSes may install
675 | these automatically, though it has traditionally been a task best
676 | performed by the system firmware. So, please check with your
677 | system / mainboard manufacturer for the latest firmware update.
678 | </para>
679 |
680 | <para>
681 | This mitigation aims at removing potentially sensitive data from
682 | the affected buffers before running guest code. Since this means
683 | additional work each time the guest is scheduled, there might be
684 | some performance side effects.
685 | </para>
686 |
687 | <para>
688 | We recommend disabling hyper threading on host affected by
689 | CVE-2018-12126 and CVE-2018-12127 because the affected sets of
690 | buffers are normally shared between thread pairs and therefore
691 | cause leaks between the threads. This is traditionally done from
692 | the firmware setup, but some OSes also offers ways disable HT. In
693 | some cases it may be disabled by default, but please verify as the
694 | effectiveness of the mitigation depends on it.
695 | </para>
696 |
697 | <para>
698 | The default action taken by VirtualBox is to clear the affected
699 | buffers when a thread is scheduled to execute guest code, rather
700 | than on each VM entry. This reduces the performance impact, while
701 | making the assumption that the host OS will not handle security
702 | sensitive data from interrupt handlers and similar without taking
703 | precautions.
704 | </para>
705 |
706 | <para>
707 | A more aggressive flushing option is provided via the
708 | VBoxManage modifyvm option
709 | <computeroutput>--mds-clear-on-vm-entry</computeroutput>. When
710 | enabled the affected buffers will be cleared on every VM entry.
711 | The performance impact is greater than with the default option,
712 | though this of course depends on the workload. Workloads producing
713 | a lot of VM exits (like networking, VGA access, and similiar) will
714 | probably be most impacted.
715 | </para>
716 |
717 | <para>
718 | For users not concerned by this security issue, the default
719 | mitigation can be disabled using
720 | </para>
721 |
722 | <para>
723 | <computeroutput>VBoxManage modifyvm name --mds-clear-on-sched
724 | off</computeroutput>
725 | </para>
726 |
727 | </sect3>
728 |
729 | </sect2>
730 |
731 | </sect1>
732 |
733 | </chapter>