VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Security.xml@ 85704

Last change on this file since 85704 was 85107, checked in by vboxsync, 4 years ago

doc/manual: Clarify NAT/NAT service behavior regarding loopback access. Eliminate all "e.g." which have sneaked into the docs. Oracle doc team is avoiding it.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 26.4 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="Security">
8
9 <title>Security Guide</title>
10
11 <sect1 id="security-general">
12
13 <title>General Security Principles</title>
14
15 <para>
16 The following principles are fundamental to using any application
17 securely.
18 </para>
19
20 <itemizedlist>
21
22 <listitem>
23 <para>
24 <emphasis role="strong">Keep software up to date</emphasis>.
25 One of the principles of good security practise is to keep all
26 software versions and patches up to date. Activate the
27 &product-name; update notification to get notified when a new
28 &product-name; release is available. When updating
29 &product-name;, do not forget to update the Guest Additions.
30 Keep the host operating system as well as the guest operating
31 system up to date.
32 </para>
33 </listitem>
34
35 <listitem>
36 <para>
37 <emphasis role="strong">Restrict network access to critical
38 services.</emphasis> Use proper means, for instance a
39 firewall, to protect your computer and your guests from
40 accesses from the outside. Choosing the proper networking mode
41 for VMs helps to separate host networking from the guest and
42 vice versa.
43 </para>
44 </listitem>
45
46 <listitem>
47 <para>
48 <emphasis role="strong">Follow the principle of least
49 privilege.</emphasis> The principle of least privilege states
50 that users should be given the least amount of privilege
51 necessary to perform their jobs. Always execute &product-name;
52 as a regular user. We strongly discourage anyone from
53 executing &product-name; with system privileges.
54 </para>
55
56 <para>
57 Choose restrictive permissions when creating configuration
58 files, for instance when creating /etc/default/virtualbox, see
59 <xref linkend="linux_install_opts"/>. Mode 0600 is preferred.
60 </para>
61 </listitem>
62
63 <listitem>
64 <para>
65 <emphasis role="strong">Monitor system activity.</emphasis>
66 System security builds on three pillars: good security
67 protocols, proper system configuration and system monitoring.
68 Auditing and reviewing audit records address the third
69 requirement. Each component within a system has some degree of
70 monitoring capability. Follow audit advice in this document
71 and regularly monitor audit records.
72 </para>
73 </listitem>
74
75 <listitem>
76 <para>
77 <emphasis role="strong">Keep up to date on latest security
78 information.</emphasis> Oracle continually improves its
79 software and documentation. Check this note yearly for
80 revisions.
81 </para>
82 </listitem>
83
84 </itemizedlist>
85
86 </sect1>
87
88 <sect1 id="security-secure-install">
89
90 <title>Secure Installation and Configuration</title>
91
92 <sect2 id="security-secure-install-overview">
93
94 <title>Installation Overview</title>
95
96 <para>
97 The &product-name; base package should be downloaded only from a
98 trusted source, for instance the official website
99 <ulink url="http://www.virtualbox.org" />.
100 The integrity of the package should be verified with the
101 provided SHA256 checksum which can be found on the official
102 website.
103 </para>
104
105 <para>
106 General &product-name; installation instructions for the
107 supported hosts can be found in <xref linkend="installation"/>.
108 </para>
109
110 <para>
111 On Windows hosts, the installer can be used to disable USB
112 support, support for bridged networking, support for host-only
113 networking and the Python language binding. See
114 <xref linkend="installation_windows"/>. All these features are
115 enabled by default but disabling some of them could be
116 appropriate if the corresponding functionality is not required
117 by any virtual machine. The Python language bindings are only
118 required if the &product-name; API is to be used by external
119 Python applications. In particular USB support and support for
120 the two networking modes require the installation of Windows
121 kernel drivers on the host. Therefore disabling those selected
122 features can not only be used to restrict the user to certain
123 functionality but also to minimize the surface provided to a
124 potential attacker.
125 </para>
126
127 <para>
128 The general case is to install the complete &product-name;
129 package. The installation must be done with system privileges.
130 All &product-name; binaries should be executed as a regular user
131 and never as a privileged user.
132 </para>
133
134 <para>
135 The &product-name; Extension Pack provides additional features
136 and must be downloaded and installed separately, see
137 <xref linkend="intro-installing"/>. As for the base package, the
138 SHA256 checksum of the extension pack should be verified. As the
139 installation requires system privileges, &product-name; will ask
140 for the system password during the installation of the extension
141 pack.
142 </para>
143
144 </sect2>
145
146 <sect2 id="security-secure-install-postinstall">
147
148 <title>Post Installation Configuration</title>
149
150 <para>
151 Normally there is no post installation configuration of
152 &product-name; components required. However, on Oracle Solaris
153 and Linux hosts it is necessary to configure the proper
154 permissions for users executing VMs and who should be able to
155 access certain host resources. For instance, Linux users must be
156 member of the <emphasis>vboxusers</emphasis> group to be able to
157 pass USB devices to a guest. If a serial host interface should
158 be accessed from a VM, the proper permissions must be granted to
159 the user to be able to access that device. The same applies to
160 other resources like raw partitions, DVD/CD drives, and sound
161 devices.
162 </para>
163
164 </sect2>
165
166 </sect1>
167
168 <sect1 id="security-features">
169
170 <title>Security Features</title>
171
172 <para>
173 This section outlines the specific security mechanisms offered by
174 &product-name;.
175 </para>
176
177 <sect2 id="security-model">
178
179 <title>The Security Model</title>
180
181 <para>
182 One property of virtual machine monitors (VMMs) like
183 &product-name; is to encapsulate a guest by executing it in a
184 protected environment, a virtual machine, running as a user
185 process on the host operating system. The guest cannot
186 communicate directly with the hardware or other computers but
187 only through the VMM. The VMM provides emulated physical
188 resources and devices to the guest which are accessed by the
189 guest operating system to perform the required tasks. The VM
190 settings control the resources provided to the guest, for
191 example the amount of guest memory or the number of guest
192 processors and the enabled features for that guest. For example
193 remote control, certain screen settings and others. See
194 <xref linkend="generalsettings"/>.
195 </para>
196
197 </sect2>
198
199 <sect2 id="secure-config-vms">
200
201 <title>Secure Configuration of Virtual Machines</title>
202
203 <para>
204 Several aspects of a virtual machine configuration are subject
205 to security considerations.
206 </para>
207
208 <sect3 id="security-networking">
209
210 <title>Networking</title>
211
212 <para>
213 The default networking mode for VMs is NAT which means that
214 the VM acts like a computer behind a router, see
215 <xref linkend="network_nat"/>. The guest is part of a private
216 subnet belonging to this VM and the guest IP is not visible
217 from the outside. This networking mode works without any
218 additional setup and is sufficient for many purposes. Keep in
219 mind that NAT allows access to the host operating system's
220 loopback interface.
221 </para>
222
223 <para>
224 If bridged networking is used, the VM acts like a computer
225 inside the same network as the host, see
226 <xref linkend="network_bridged"/>. In this case, the guest has
227 the same network access as the host and a firewall might be
228 necessary to protect other computers on the subnet from a
229 potential malicious guest as well as to protect the guest from
230 a direct access from other computers. In some cases it is
231 worth considering using a forwarding rule for a specific port
232 in NAT mode instead of using bridged networking.
233 </para>
234
235 <para>
236 Some setups do not require a VM to be connected to the public
237 network at all. Internal networking, see
238 <xref linkend="network_internal"/>, or host-only networking,
239 see <xref linkend="network_hostonly"/>, are often sufficient
240 to connect VMs among each other or to connect VMs only with
241 the host but not with the public network.
242 </para>
243
244 </sect3>
245
246 <sect3 id="security-vrdp-auth">
247
248 <title>VRDP Remote Desktop Authentication</title>
249
250 <para>
251 When using the &product-name; Extension Pack provided by
252 Oracle for VRDP remote desktop support, you can optionally use
253 various methods to configure RDP authentication. The "null"
254 method is very insecure and should be avoided in a public
255 network. See <xref linkend="vbox-auth" />.
256 </para>
257
258 </sect3>
259
260 <sect3 id="security_clipboard">
261
262 <title>Clipboard</title>
263
264 <para>
265 The shared clipboard enables users to share data between the
266 host and the guest. Enabling the clipboard in Bidirectional
267 mode enables the guest to read and write the host clipboard.
268 The Host to Guest mode and the Guest to Host mode limit the
269 access to one direction. If the guest is able to access the
270 host clipboard it can also potentially access sensitive data
271 from the host which is shared over the clipboard.
272 </para>
273
274 <para>
275 If the guest is able to read from and/or write to the host
276 clipboard then a remote user connecting to the guest over the
277 network will also gain this ability, which may not be
278 desirable. As a consequence, the shared clipboard is disabled
279 for new machines.
280 </para>
281
282 </sect3>
283
284 <sect3 id="security-shared-folders">
285
286 <title>Shared Folders</title>
287
288 <para>
289 If any host folder is shared with the guest then a remote user
290 connected to the guest over the network can access these files
291 too as the folder sharing mechanism cannot be selectively
292 disabled for remote users.
293 </para>
294
295 </sect3>
296
297 <sect3 id="security-3d-graphics">
298
299 <title>3D Graphics Acceleration</title>
300
301 <para>
302 Enabling 3D graphics using the Guest Additions exposes the
303 host to additional security risks. See
304 <xref
305 linkend="guestadd-3d" />.
306 </para>
307
308 </sect3>
309
310 <sect3 id="security-cd-dvd-passthrough">
311
312 <title>CD/DVD Passthrough</title>
313
314 <para>
315 Enabling CD/DVD passthrough enables the guest to perform
316 advanced operations on the CD/DVD drive, see
317 <xref linkend="storage-cds"/>. This could induce a security
318 risk as a guest could overwrite data on a CD/DVD medium.
319 </para>
320
321 </sect3>
322
323 <sect3 id="security-usb-passthrough">
324
325 <title>USB Passthrough</title>
326
327 <para>
328 Passing USB devices to the guest provides the guest full
329 access to these devices, see <xref linkend="settings-usb"/>.
330 For instance, in addition to reading and writing the content
331 of the partitions of an external USB disk the guest will be
332 also able to read and write the partition table and hardware
333 data of that disk.
334 </para>
335
336 </sect3>
337
338 </sect2>
339
340 <sect2 id="auth-config-using">
341
342 <title>Configuring and Using Authentication</title>
343
344 <para>
345 The following components of &product-name; can use passwords for
346 authentication:
347 </para>
348
349 <itemizedlist>
350
351 <listitem>
352 <para>
353 When using remote iSCSI storage and the storage server
354 requires authentication, an initiator secret can optionally
355 be supplied with the <command>VBoxManage
356 storageattach</command> command. As long as no settings
357 password is provided, by using the command line option
358 <option>--settingspwfile</option>, then this secret is
359 stored <emphasis>unencrypted</emphasis> in the machine
360 configuration and is therefore potentially readable on the
361 host. See <xref linkend="storage-iscsi" /> and
362 <xref linkend="vboxmanage-storageattach" />.
363 </para>
364 </listitem>
365
366 <listitem>
367 <para>
368 When using the &product-name; web service to control an
369 &product-name; host remotely, connections to the web service
370 are authenticated in various ways. This is described in
371 detail in the &product-name; Software Development Kit (SDK)
372 reference. See <xref linkend="VirtualBoxAPI" />.
373 </para>
374 </listitem>
375
376 </itemizedlist>
377
378 </sect2>
379
380<!--
381 <sect2 id="access-control-config-using">
382 <title>Configuring and Using Access Control</title>
383 </sect2>
384
385 <sect2 id="security-audit-config-using">
386 <title>Configuring and Using Security Audit</title>
387 </sect2>
388
389 <sect2 id="security-other-features-config-using">
390 <title>Configuring and Using Other Security Features</title>
391 </sect2>
392 -->
393
394 <sect2 id="pot-insecure">
395
396 <title>Potentially Insecure Operations</title>
397
398 <para>
399 The following features of &product-name; can present security
400 problems:
401 </para>
402
403 <itemizedlist>
404
405 <listitem>
406 <para>
407 Enabling 3D graphics using the Guest Additions exposes the
408 host to additional security risks. See
409 <xref
410 linkend="guestadd-3d" />.
411 </para>
412 </listitem>
413
414 <listitem>
415 <para>
416 When teleporting a machine, the data stream through which
417 the machine's memory contents are transferred from one host
418 to another is not encrypted. A third party with access to
419 the network through which the data is transferred could
420 therefore intercept that data. An SSH tunnel could be used
421 to secure the connection between the two hosts. But when
422 considering teleporting a VM over an untrusted network the
423 first question to answer is how both VMs can securely access
424 the same virtual disk image with a reasonable performance.
425 </para>
426 </listitem>
427
428 <listitem>
429 <para>
430 When Page Fusion, see <xref linkend="guestadd-pagefusion"/>,
431 is enabled, it is possible that a side-channel opens up that
432 enables a malicious guest to determine the address space of
433 another VM running on the same host layout. For example,
434 where DLLs are typically loaded. This information leak in
435 itself is harmless, however the malicious guest may use it
436 to optimize attack against that VM through unrelated attack
437 vectors. It is recommended to only enable Page Fusion if you
438 do not think this is a concern in your setup.
439 </para>
440 </listitem>
441
442 <listitem>
443 <para>
444 When using the &product-name; web service to control an
445 &product-name; host remotely, connections to the web
446 service, over which the API calls are transferred using SOAP
447 XML, are not encrypted. They use plain HTTP by default. This
448 is a potential security risk. For details about the web
449 service, see <xref linkend="VirtualBoxAPI" />.
450 </para>
451
452 <para>
453 The web services are not started by default. See
454 <xref linkend="vboxwebsrv-daemon"/> to find out how to start
455 this service and how to enable SSL/TLS support. It has to be
456 started as a regular user and only the VMs of that user can
457 be controlled. By default, the service binds to localhost
458 preventing any remote connection.
459 </para>
460 </listitem>
461
462 <listitem>
463 <para>
464 Traffic sent over a UDP Tunnel network attachment is not
465 encrypted. You can either encrypt it on the host network
466 level, with IPsec, or use encrypted protocols in the guest
467 network, such as SSH. The security properties are similar to
468 bridged Ethernet.
469 </para>
470 </listitem>
471
472 <listitem>
473 <para>
474 Because of shortcomings in older Windows versions, using
475 &product-name; on Windows versions older than Vista with
476 Service Pack 1 is not recommended.
477 </para>
478 </listitem>
479
480 </itemizedlist>
481
482 </sect2>
483
484 <sect2 id="security-encryption">
485
486 <title>Encryption</title>
487
488 <para>
489 The following components of &product-name; use encryption to
490 protect sensitive data:
491 </para>
492
493 <itemizedlist>
494
495 <listitem>
496 <para>
497 When using the &product-name; Extension Pack provided by
498 Oracle for VRDP remote desktop support, RDP data can
499 optionally be encrypted. See <xref linkend="vrde-crypt" />.
500 Only the Enhanced RDP Security method (RDP5.2) with TLS
501 protocol provides a secure connection. Standard RDP Security
502 (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle
503 attack.
504 </para>
505 </listitem>
506
507 <listitem>
508 <para>
509 When using the &product-name; Extension Pack provided by
510 Oracle for disk encryption, the data stored in disk images can
511 optionally be encrypted. See <xref linkend="diskencryption" />.
512 This feature covers disk image content only. All other data
513 for a virtual machine is stored unencrypted, including the VM's
514 memory and device state which is stored as part of a saved
515 state, both when created explicitly or part of a snapshot of a
516 running VM.
517 </para>
518 </listitem>
519
520 </itemizedlist>
521
522 </sect2>
523
524 </sect1>
525
526<!--
527 <sect1 id="security-devel">
528 <title>Security Considerations for Developers</title>
529 </sect1>
530 -->
531
532 <sect1 id="security-recommendations">
533
534 <title>Security Recommendations</title>
535
536 <para>
537 This section contains security recommendations for specific
538 issues. By default VirtualBox will configure the VMs to run in a
539 secure manner, however this may not always be possible without
540 additional user actions (for example host OS / firmware configuration
541 changes).
542 </para>
543
544 <sect2 id="sec-rec-cve-2018-3646">
545
546 <title>CVE-2018-3646</title>
547
548 <para>
549 This security issue affect a range of Intel CPUs with nested
550 paging. AMD CPUs are expected not to be impacted (pending direct
551 confirmation by AMD). Also the issue does not affect VMs running
552 with hardware virtualization disabled or with nested paging
553 disabled.
554 </para>
555
556 <para>
557 For more information about nested paging, see
558 <xref linkend="nestedpaging" />.
559 </para>
560
561 <para>
562 The following mitigation options are available.
563 </para>
564
565 <sect3>
566
567 <title>Disable Nested Paging</title>
568
569 <para>
570 By disabling nested paging (EPT), the VMM will construct page
571 tables shadowing the ones in the guest. It is no possible for
572 the guest to insert anything fishy into the page tables, since
573 the VMM carefully validates each entry before shadowing it.
574 </para>
575
576 <para>
577 As a side effect of disabling nested paging, several CPU
578 features will not be made available to the guest. Among these
579 features are AVX, AVX2, XSAVE, AESNI, and POPCNT. Not all
580 guests may be able to cope with dropping these features after
581 installation. Also, for some guests, especially in SMP
582 configurations, there could be stability issues arising from
583 disabling nested paging. Finally, some workloads may
584 experience a performance degradation.
585 </para>
586
587 </sect3>
588
589 <sect3>
590
591 <title>Flushing the Level 1 Data Cache</title>
592
593 <para>
594 This aims at removing potentially sensitive data from the
595 level 1 data cache when running guest code. However, it is
596 made difficult by hyper-threading setups sharing the level 1
597 cache and thereby potentially letting the other thread in a
598 pair refill the cache with data the user does not want the
599 guest to see. In addition, flushing the level 1 data cache is
600 usually not without performance side effects.
601 </para>
602
603 <para>
604 Up to date CPU microcode is a prerequisite for the cache
605 flushing mitigations. Some host OSes may install these
606 automatically, though it has traditionally been a task best
607 performed by the system firmware. So, please check with your
608 system / mainboard manufacturer for the latest firmware
609 update.
610 </para>
611
612 <para>
613 We recommend disabling hyper threading on the host. This is
614 traditionally done from the firmware setup, but some OSes also
615 offers ways disable HT. In some cases it may be disabled by
616 default, but please verify as the effectiveness of the
617 mitigation depends on it.
618 </para>
619
620 <para>
621 The default action taken by VirtualBox is to flush the level 1
622 data cache when a thread is scheduled to execute guest code,
623 rather than on each VM entry. This reduces the performance
624 impact, while making the assumption that the host OS will not
625 handle security sensitive data from interrupt handlers and
626 similar without taking precautions.
627 </para>
628
629 <para>
630 A more aggressive flushing option is provided via the
631 <command>VBoxManage modifyvm</command>
632 <option>--l1d-flush-on-vm-entry</option> option. When
633 enabled the level 1 data cache will be flushed on every VM
634 entry. The performance impact is greater than with the default
635 option, though this of course depends on the workload.
636 Workloads producing a lot of VM exits (like networking, VGA
637 access, and similiar) will probably be most impacted.
638 </para>
639
640 <para>
641 For users not concerned by this security issue, the default
642 mitigation can be disabled using the <command>VBoxManage modifyvm
643 name --l1d-flush-on-sched off</command> command.
644 </para>
645
646 </sect3>
647
648 </sect2>
649
650 <sect2 id="sec-rec-cve-2018-12126-et-al">
651
652 <title>CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091</title>
653
654 <para>
655 These security issues affect a range of Intel CPUs starting with
656 Nehalem. The CVE-2018-12130 also affects some Atom Silvermont,
657 Atom Airmont, and Knights family CPUs, however the scope is so
658 limited that the host OS should deal with it and &product-name;
659 is therefore not affected. Leaks only happens when entering and
660 leaving C states.
661 </para>
662
663 <para>
664 The following mitigation option is available.
665 </para>
666
667 <sect3>
668
669 <title>Buffer Overwriting and Disabling Hyper-Threading</title>
670
671 <para>
672 First, up to date CPU microcode is a prerequisite for the
673 buffer overwriting (clearing) mitigations. Some host OSes may
674 install these automatically, though it has traditionally been
675 a task best performed by the system firmware. Please check
676 with your system or mainboard manufacturer for the latest
677 firmware update.
678 </para>
679
680 <para>
681 This mitigation aims at removing potentially sensitive data
682 from the affected buffers before running guest code. Since
683 this means additional work each time the guest is scheduled,
684 there might be some performance side effects.
685 </para>
686
687 <para>
688 We recommend disabling hyper-threading (HT) on hosts affected
689 by CVE-2018-12126 and CVE-2018-12127, because the affected
690 sets of buffers are normally shared between thread pairs and
691 therefore cause leaks between the threads. This is
692 traditionally done from the firmware setup, but some OSes also
693 offers ways disable HT. In some cases it may be disabled by
694 default, but please verify as the effectiveness of the
695 mitigation depends on it.
696 </para>
697
698 <para>
699 The default action taken by &product-name; is to clear the
700 affected buffers when a thread is scheduled to execute guest
701 code, rather than on each VM entry. This reduces the
702 performance impact, while making the assumption that the host
703 OS will not handle security sensitive data from interrupt
704 handlers and similar without taking precautions.
705 </para>
706
707 <para>
708 The <command>VBoxManage modifyvm</command> command provides a more
709 aggressive flushing option is provided by means of the
710 <option>--mds-clear-on-vm-entry</option> option. When
711 enabled the affected buffers will be cleared on every VM
712 entry. The performance impact is greater than with the default
713 option, though this of course depends on the workload.
714 Workloads producing a lot of VM exits (like networking, VGA
715 access, and similiar) will probably be most impacted.
716 </para>
717
718 <para>
719 For users not concerned by this security issue, the default
720 mitigation can be disabled using the <command>VBoxManage modifyvm
721 name --mds-clear-on-sched off</command> command.
722 </para>
723
724 </sect3>
725
726 </sect2>
727
728 </sect1>
729
730</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette