source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 96301

<?xml version="1.0" encoding="UTF-8"?>
<!--
    Copyright (C) 2006-2022 Oracle Corporation

    This file is part of VirtualBox Open Source Edition (OSE), as
    available from http://www.alldomusa.eu.org. This file is free software;
    you can redistribute it and/or modify it under the terms of the GNU
    General Public License (GPL) as published by the Free Software
    Foundation, in version 2 as it comes in the "COPYING" file of the
    VirtualBox OSE distribution. VirtualBox OSE is distributed in the
    hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
-->
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
<!ENTITY % all.entities SYSTEM "all-entities.ent">
%all.entities;
]>
<chapter id="Security">

  <title>Security Guide</title>

  <sect1 id="security-general">

    <title>General Security Principles</title>

    <para>
      The following principles are fundamental to using any application
      securely.
    </para>

    <itemizedlist>

      <listitem>
        <para>
          <emphasis role="bold">Keep software up to date</emphasis>. One
          of the principles of good security practise is to keep all
          software versions and patches up to date. Activate the
          &product-name; update notification to get notified when a new
          &product-name; release is available. When updating
          &product-name;, do not forget to update the Guest Additions.
          Keep the host operating system as well as the guest operating
          system up to date.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Restrict network access to critical
          services.</emphasis> Use proper means, for instance a
          firewall, to protect your computer and your guests from
          accesses from the outside. Choosing the proper networking mode
          for VMs helps to separate host networking from the guest and
          vice versa.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Follow the principle of least
          privilege.</emphasis> The principle of least privilege states
          that users should be given the least amount of privilege
          necessary to perform their jobs. Always execute &product-name;
          as a regular user. We strongly discourage anyone from
          executing &product-name; with system privileges.
        </para>

        <para>
          Choose restrictive permissions when creating configuration
          files, for instance when creating /etc/default/virtualbox, see
          <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Monitor system activity.</emphasis>
          System security builds on three pillars: good security
          protocols, proper system configuration and system monitoring.
          Auditing and reviewing audit records address the third
          requirement. Each component within a system has some degree of
          monitoring capability. Follow audit advice in this document
          and regularly monitor audit records.
        </para>
      </listitem>

      <listitem>
        <para>
          <emphasis role="bold">Keep up to date on latest security
          information.</emphasis> Oracle continually improves its
          software and documentation. Check this note yearly for
          revisions.
        </para>
      </listitem>

    </itemizedlist>

  </sect1>

  <sect1 id="security-secure-install">

    <title>Secure Installation and Configuration</title>

    <sect2 id="security-secure-install-overview">

      <title>Installation Overview</title>

      <para>
        The &product-name; base package should be downloaded only from a
        trusted source, for instance the official website
        <ulink url="http://www.alldomusa.eu.org" />. The integrity of the
        package should be verified with the provided SHA256 checksum
        which can be found on the official website.
      </para>

      <para>
        General &product-name; installation instructions for the
        supported hosts can be found in <xref linkend="installation"/>.
      </para>

      <para>
        On Windows hosts, the installer can be used to disable USB
        support, support for bridged networking, support for host-only
        networking and the Python language binding. See
        <xref linkend="installation_windows"/>. All these features are
        enabled by default but disabling some of them could be
        appropriate if the corresponding functionality is not required
        by any virtual machine. The Python language bindings are only
        required if the &product-name; API is to be used by external
        Python applications. In particular USB support and support for
        the two networking modes require the installation of Windows
        kernel drivers on the host. Therefore disabling those selected
        features can not only be used to restrict the user to certain
        functionality but also to minimize the surface provided to a
        potential attacker.
      </para>

      <para>
        The general case is to install the complete &product-name;
        package. The installation must be done with system privileges.
        All &product-name; binaries should be executed as a regular user
        and never as a privileged user.
      </para>

      <para>
        The &product-name; Extension Pack provides additional features
        and must be downloaded and installed separately, see
        <xref linkend="intro-installing"/>. As for the base package, the
        SHA256 checksum of the extension pack should be verified. As the
        installation requires system privileges, &product-name; will ask
        for the system password during the installation of the extension
        pack.
      </para>

    </sect2>

    <sect2 id="security-secure-install-postinstall">

      <title>Post Installation Configuration</title>

      <para>
        Normally there is no post installation configuration of
        &product-name; components required. However, on Oracle Solaris
        and Linux hosts it is necessary to configure the proper
        permissions for users executing VMs and who should be able to
        access certain host resources. For instance, Linux users must be
        member of the <emphasis>vboxusers</emphasis> group to be able to
        pass USB devices to a guest. If a serial host interface should
        be accessed from a VM, the proper permissions must be granted to
        the user to be able to access that device. The same applies to
        other resources like raw partitions, DVD/CD drives, and sound
        devices.
      </para>

    </sect2>

  </sect1>

  <sect1 id="security-features">

    <title>Security Features</title>

    <para>
      This section outlines the specific security mechanisms offered by
      &product-name;.
    </para>

    <sect2 id="security-model">

      <title>The Security Model</title>

      <para>
        One property of virtual machine monitors (VMMs) like
        &product-name; is to encapsulate a guest by executing it in a
        protected environment, a virtual machine, running as a user
        process on the host operating system. The guest cannot
        communicate directly with the hardware or other computers but
        only through the VMM. The VMM provides emulated physical
        resources and devices to the guest which are accessed by the
        guest operating system to perform the required tasks. The VM
        settings control the resources provided to the guest, for
        example the amount of guest memory or the number of guest
        processors and the enabled features for that guest. For example
        remote control, certain screen settings and others. See
        <xref linkend="generalsettings"/>.
      </para>

    </sect2>

    <sect2 id="secure-config-vms">

      <title>Secure Configuration of Virtual Machines</title>

      <para>
        Several aspects of a virtual machine configuration are subject
        to security considerations.
      </para>

      <sect3 id="security-networking">

        <title>Networking</title>

        <para>
          The default networking mode for VMs is NAT which means that
          the VM acts like a computer behind a router, see
          <xref linkend="network_nat"/>. The guest is part of a private
          subnet belonging to this VM and the guest IP is not visible
          from the outside. This networking mode works without any
          additional setup and is sufficient for many purposes. Keep in
          mind that NAT allows access to the host operating system's
          loopback interface.
        </para>

        <para>
          If bridged networking is used, the VM acts like a computer
          inside the same network as the host, see
          <xref linkend="network_bridged"/>. In this case, the guest has
          the same network access as the host and a firewall might be
          necessary to protect other computers on the subnet from a
          potential malicious guest as well as to protect the guest from
          a direct access from other computers. In some cases it is
          worth considering using a forwarding rule for a specific port
          in NAT mode instead of using bridged networking.
        </para>

        <para>
          Some setups do not require a VM to be connected to the public
          network at all. Internal networking, see
          <xref linkend="network_internal"/>, or host-only networking,
          see <xref linkend="network_hostonly"/>, are often sufficient
          to connect VMs among each other or to connect VMs only with
          the host but not with the public network.
        </para>

      </sect3>

      <sect3 id="security-vrdp-auth">

        <title>VRDP Remote Desktop Authentication</title>

        <para>
          When using the &product-name; Extension Pack provided by
          Oracle for VRDP remote desktop support, you can optionally use
          various methods to configure RDP authentication. The "null"
          method is very insecure and should be avoided in a public
          network. See <xref linkend="vbox-auth" />.
        </para>

      </sect3>

      <sect3 id="security_clipboard">

        <title>Clipboard</title>

        <para>
          The shared clipboard enables users to share data between the
          host and the guest. Enabling the clipboard in Bidirectional
          mode enables the guest to read and write the host clipboard.
          The Host to Guest mode and the Guest to Host mode limit the
          access to one direction. If the guest is able to access the
          host clipboard it can also potentially access sensitive data
          from the host which is shared over the clipboard.
        </para>

        <para>
          If the guest is able to read from and/or write to the host
          clipboard then a remote user connecting to the guest over the
          network will also gain this ability, which may not be
          desirable. As a consequence, the shared clipboard is disabled
          for new machines.
        </para>

      </sect3>

      <sect3 id="security-shared-folders">

        <title>Shared Folders</title>

        <para>
          If any host folder is shared with the guest then a remote user
          connected to the guest over the network can access these files
          too as the folder sharing mechanism cannot be selectively
          disabled for remote users.
        </para>

      </sect3>

      <sect3 id="security-3d-graphics">

        <title>3D Graphics Acceleration</title>

        <para>
          Enabling 3D graphics using the Guest Additions exposes the
          host to additional security risks. See
          <xref
          linkend="guestadd-3d" />.
        </para>

      </sect3>

      <sect3 id="security-cd-dvd-passthrough">

        <title>CD/DVD Passthrough</title>

        <para>
          Enabling CD/DVD passthrough enables the guest to perform
          advanced operations on the CD/DVD drive, see
          <xref linkend="storage-cds"/>. This could induce a security
          risk as a guest could overwrite data on a CD/DVD medium.
        </para>

      </sect3>

      <sect3 id="security-usb-passthrough">

        <title>USB Passthrough</title>

        <para>
          Passing USB devices to the guest provides the guest full
          access to these devices, see <xref linkend="settings-usb"/>.
          For instance, in addition to reading and writing the content
          of the partitions of an external USB disk the guest will be
          also able to read and write the partition table and hardware
          data of that disk.
        </para>

      </sect3>

    </sect2>

    <sect2 id="auth-config-using">

      <title>Configuring and Using Authentication</title>

      <para>
        The following components of &product-name; can use passwords for
        authentication:
      </para>

      <itemizedlist>

        <listitem>
          <para>
            When using remote iSCSI storage and the storage server
            requires authentication, an initiator secret can optionally
            be supplied with the <command>VBoxManage
            storageattach</command> command. As long as no settings
            password is provided, by using the command line option
            <option>--settingspwfile</option>, then this secret is
            stored <emphasis>unencrypted</emphasis> in the machine
            configuration and is therefore potentially readable on the
            host. See <xref linkend="storage-iscsi" /> and
            <xref linkend="vboxmanage-storageattach" />.
          </para>
        </listitem>

        <listitem>
          <para>
            When using the &product-name; web service to control an
            &product-name; host remotely, connections to the web service
            are authenticated in various ways. This is described in
            detail in the &product-name; Software Development Kit (SDK)
            reference. See <xref linkend="VirtualBoxAPI" />.
          </para>
        </listitem>

      </itemizedlist>

    </sect2>

<!--
    <sect2 id="access-control-config-using">
      <title>Configuring and Using Access Control</title>
    </sect2>

    <sect2 id="security-audit-config-using">
      <title>Configuring and Using Security Audit</title>
    </sect2>

    <sect2 id="security-other-features-config-using">
      <title>Configuring and Using Other Security Features</title>
    </sect2>
    -->

    <sect2 id="pot-insecure">

      <title>Potentially Insecure Operations</title>

      <para>
        The following features of &product-name; can present security
        problems:
      </para>

      <itemizedlist>

        <listitem>
          <para>
            Enabling 3D graphics using the Guest Additions exposes the
            host to additional security risks. See
            <xref
          linkend="guestadd-3d" />.
          </para>
        </listitem>

        <listitem>
          <para>
            When teleporting a machine, the data stream through which
            the machine's memory contents are transferred from one host
            to another is not encrypted. A third party with access to
            the network through which the data is transferred could
            therefore intercept that data. An SSH tunnel could be used
            to secure the connection between the two hosts. But when
            considering teleporting a VM over an untrusted network the
            first question to answer is how both VMs can securely access
            the same virtual disk image with a reasonable performance.
          </para>
        </listitem>

        <listitem>
          <para>
            When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
            is enabled, it is possible that a side-channel opens up that
            enables a malicious guest to determine the address space of
            another VM running on the same host layout. For example,
            where DLLs are typically loaded. This information leak in
            itself is harmless, however the malicious guest may use it
            to optimize attack against that VM through unrelated attack
            vectors. It is recommended to only enable Page Fusion if you
            do not think this is a concern in your setup.
          </para>
        </listitem>

        <listitem>
          <para>
            When using the &product-name; web service to control an
            &product-name; host remotely, connections to the web
            service, over which the API calls are transferred using SOAP
            XML, are not encrypted. They use plain HTTP by default. This
            is a potential security risk. For details about the web
            service, see <xref linkend="VirtualBoxAPI" />.
          </para>

          <para>
            The web services are not started by default. See
            <xref linkend="vboxwebsrv-daemon"/> to find out how to start
            this service and how to enable SSL/TLS support. It has to be
            started as a regular user and only the VMs of that user can
            be controlled. By default, the service binds to localhost
            preventing any remote connection.
          </para>
        </listitem>

        <listitem>
          <para>
            Traffic sent over a UDP Tunnel network attachment is not
            encrypted. You can either encrypt it on the host network
            level, with IPsec, or use encrypted protocols in the guest
            network, such as SSH. The security properties are similar to
            bridged Ethernet.
          </para>
        </listitem>

        <listitem>
          <para>
            Because of shortcomings in older Windows versions, using
            &product-name; on Windows versions older than Vista with
            Service Pack 1 is not recommended.
          </para>
        </listitem>

      </itemizedlist>

    </sect2>

    <sect2 id="security-encryption">

      <title>Encryption</title>

      <para>
        The following components of &product-name; use encryption to
        protect sensitive data:
      </para>

      <itemizedlist>

        <listitem>
          <para>
            When using the &product-name; Extension Pack provided by
            Oracle for VRDP remote desktop support, RDP data can
            optionally be encrypted. See <xref linkend="vrde-crypt" />.
            Only the Enhanced RDP Security method (RDP5.2) with TLS
            protocol provides a secure connection. Standard RDP Security
            (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
            attack.
          </para>
        </listitem>

        <listitem>
          <para>
            When using the &product-name; Extension Pack provided by
            Oracle for disk encryption, the data stored in disk images
            can optionally be encrypted. See
            <xref linkend="diskencryption" />. This feature covers disk
            image content only. All other data for a virtual machine is
            stored unencrypted, including the VM's memory and device
            state which is stored as part of a saved state, both when
            created explicitly or part of a snapshot of a running VM.
          </para>
        </listitem>

      </itemizedlist>

    </sect2>

  </sect1>

<!--
  <sect1 id="security-devel">
    <title>Security Considerations for Developers</title>
  </sect1>
  -->

  <sect1 id="security-recommendations">

    <title>Security Recommendations</title>

    <para>
      This section contains security recommendations for specific
      issues. By default VirtualBox will configure the VMs to run in a
      secure manner, however this may not always be possible without
      additional user actions such as host OS or firmware configuration
      changes.
    </para>

    <sect2 id="sec-rec-cve-2018-3646">

      <title>CVE-2018-3646</title>

      <para>
        This security issue affect a range of Intel CPUs with nested
        paging. AMD CPUs are expected not to be impacted (pending direct
        confirmation by AMD). Also the issue does not affect VMs running
        with hardware virtualization disabled or with nested paging
        disabled.
      </para>

      <para>
        For more information about nested paging, see
        <xref linkend="nestedpaging" />.
      </para>

      <para>
        The following mitigation options are available.
      </para>

      <sect3>

        <title>Disable Nested Paging</title>

        <para>
          By disabling nested paging (EPT), the VMM will construct page
          tables shadowing the ones in the guest. It is no possible for
          the guest to insert anything fishy into the page tables, since
          the VMM carefully validates each entry before shadowing it.
        </para>

        <para>
          As a side effect of disabling nested paging, several CPU
          features will not be made available to the guest. Among these
          features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
          guests may be able to cope with dropping these features after
          installation. Also, for some guests, especially in SMP
          configurations, there could be stability issues arising from
          disabling nested paging. Finally, some workloads may
          experience a performance degradation.
        </para>

      </sect3>

      <sect3>

        <title>Flushing the Level 1 Data Cache</title>

        <para>
          This aims at removing potentially sensitive data from the
          level 1 data cache when running guest code. However, it is
          made difficult by hyper-threading setups sharing the level 1
          cache and thereby potentially letting the other thread in a
          pair refill the cache with data the user does not want the
          guest to see. In addition, flushing the level 1 data cache is
          usually not without performance side effects.
        </para>

        <para>
          Up to date CPU microcode is a prerequisite for the cache
          flushing mitigations. Some host OSes may install these
          automatically, though it has traditionally been a task best
          performed by the system firmware. So, please check with your
          system / mainboard manufacturer for the latest firmware
          update.
        </para>

        <para>
          We recommend disabling hyper threading on the host. This is
          traditionally done from the firmware setup, but some OSes also
          offers ways disable HT. In some cases it may be disabled by
          default, but please verify as the effectiveness of the
          mitigation depends on it.
        </para>

        <para>
          The default action taken by VirtualBox is to flush the level 1
          data cache when a thread is scheduled to execute guest code,
          rather than on each VM entry. This reduces the performance
          impact, while making the assumption that the host OS will not
          handle security sensitive data from interrupt handlers and
          similar without taking precautions.
        </para>

        <para>
          A more aggressive flushing option is provided via the
          <command>VBoxManage modifyvm</command>
          <option>--l1d-flush-on-vm-entry</option> option. When enabled
          the level 1 data cache will be flushed on every VM entry. The
          performance impact is greater than with the default option,
          though this of course depends on the workload. Workloads
          producing a lot of VM exits (like networking, VGA access, and
          similiar) will probably be most impacted.
        </para>

        <para>
          For users not concerned by this security issue, the default
          mitigation can be disabled using the <command>VBoxManage
          modifyvm name --l1d-flush-on-sched off</command> command.
        </para>

      </sect3>

    </sect2>

    <sect2 id="sec-rec-cve-2018-12126-et-al">

      <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>

      <para>
        These security issues affect a range of Intel CPUs starting with
        Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
        Atom Airmont, and Knights family CPUs, however the scope is so
        limited that the host OS should deal with it and &product-name;
        is therefore not affected. Leaks only happens when entering and
        leaving C states.
      </para>

      <para>
        The following mitigation option is available.
      </para>

      <sect3>

        <title>Buffer Overwriting and Disabling Hyper-Threading</title>

        <para>
          First, up to date CPU microcode is a prerequisite for the
          buffer overwriting (clearing) mitigations. Some host OSes may
          install these automatically, though it has traditionally been
          a task best performed by the system firmware. Please check
          with your system or mainboard manufacturer for the latest
          firmware update.
        </para>

        <para>
          This mitigation aims at removing potentially sensitive data
          from the affected buffers before running guest code. Since
          this means additional work each time the guest is scheduled,
          there might be some performance side effects.
        </para>

        <para>
          We recommend disabling hyper-threading (HT) on hosts affected
          by CVE-2018-12126 and CVE-2018-12127, because the affected
          sets of buffers are normally shared between thread pairs and
          therefore cause leaks between the threads. This is
          traditionally done from the firmware setup, but some OSes also
          offers ways disable HT. In some cases it may be disabled by
          default, but please verify as the effectiveness of the
          mitigation depends on it.
        </para>

        <para>
          The default action taken by &product-name; is to clear the
          affected buffers when a thread is scheduled to execute guest
          code, rather than on each VM entry. This reduces the
          performance impact, while making the assumption that the host
          OS will not handle security sensitive data from interrupt
          handlers and similar without taking precautions.
        </para>

        <para>
          The <command>VBoxManage modifyvm</command> command provides a
          more aggressive flushing option is provided by means of the
          <option>--mds-clear-on-vm-entry</option> option. When enabled
          the affected buffers will be cleared on every VM entry. The
          performance impact is greater than with the default option,
          though this of course depends on the workload. Workloads
          producing a lot of VM exits (like networking, VGA access, and
          similiar) will probably be most impacted.
        </para>

        <para>
          For users not concerned by this security issue, the default
          mitigation can be disabled using the <command>VBoxManage
          modifyvm name --mds-clear-on-sched off</command> command.
        </para>

      </sect3>

    </sect2>

  </sect1>

</chapter>