5
5
<title>Security guide</title>
8
<title>Potentially insecure operations</title>
10
<para>The following features of VirtualBox can present security
11
problems:<itemizedlist>
13
<para>Enabling 3D graphics via the Guest Additions exposes the host
14
to additional security risks; see <xref
15
linkend="guestadd-3d" />.</para>
19
<para>When teleporting a machine, the data stream through which the
20
machine's memory contents are transferred from one host to another
21
is not encrypted. A third party with access to the network through
22
which the data is transferred could therefore intercept that
27
<para>When using the VirtualBox web service to control a VirtualBox
28
host remotely, connections to the web service (through which the API
29
calls are transferred via SOAP XML) are not encrypted, but use plain
30
HTTP. This is a potential security risk! For details about the web
31
service, please see <xref linkend="VirtualBoxAPI" />.</para>
35
<para>All traffic sent over an UDP Tunnel network attachment is not
36
encrypted. You can either encrypt it on the host network level (with
37
IPsec), or use encrypted protocols in the guest network (such as
38
SSH). The security properties are similar to bridged Ethernet.</para>
40
</itemizedlist></para>
44
<title>Authentication</title>
46
<para>The following components of VirtualBox can use passwords for
47
authentication:<itemizedlist>
49
<para>When using the VirtualBox extension pack provided by Oracle
8
<title>Overview</title>
13
<title>General Security Principles</title>
15
<para>The following principles are fundamental to using any application
19
<glossterm>Keep Software Up To Date</glossterm>
22
One of the principles of good security practise is to keep all
23
software versions and patches up to date. Activate the VirtualBox
24
update notification to get notified when a new VirtualBox release
25
is available. When updating VirtualBox, do not forget to update
26
the Guest Additions. Keep the host operating system as well as the
27
guest operating system up to date.
33
<glossterm>Restrict Network Access to Critical Services</glossterm>
36
Use proper means, for instance a firewall, to protect your computer
37
and your guest(s) from accesses from the outside. Choosing the proper
38
networking mode for VMs helps to separate host networking from the
45
<glossterm>Follow the Principle of Least Privilege</glossterm>
48
The principle of least privilege states that users should be given the
49
least amount of privilege necessary to perform their jobs. Always execute VirtualBox
50
as a regular user. We strongly discourage anyone from executing
51
VirtualBox with system privileges.
57
<glossterm>Monitor System Activity</glossterm>
60
System security builds on three pillars: good security protocols, proper
61
system configuration and system monitoring. Auditing and reviewing audit
62
records address the third requirement. Each component within a system
63
has some degree of monitoring capability. Follow audit advice in this
64
document and regularly monitor audit records.
70
<glossterm>Keep Up To Date on Latest Security Information</glossterm>
73
Oracle continually improves its software and documentation. Check this
74
note note yearly for revisions.
85
<title>Secure Installation and Configuration</title>
89
<title>Installation Overview</title>
91
The VirtualBox base package should be downloaded only from a trusted source,
92
for instance the official website
93
<ulink url="http://www.virtualbox.org">http://www.virtualbox.org</ulink>.
94
The integrity of the package should be verified with the provided SHA256
95
checksum which can be found on the official website.
98
General VirtualBox installation instructions for the supported hosts
99
can be found in <xref linkend="installation"/>.
102
On Windows hosts, the installer allows for disabling USB support, support
103
for bridged networking, support for host-only networking and the Python
104
language bindings, see <xref linkend="installation_windows"/>.
105
All these features are enabled by default but disabling some
106
of them could be appropriate if the corresponding functionality is not
107
required by any virtual machine. The Python language bindings are only
108
required if the VirtualBox API is to be used by external Python
109
applications. In particular USB support and support
110
for the two networking modes require the installation of Windows kernel
111
drivers on the host. Therefore disabling those selected features can
112
not only be used to restrict the user to certain functionality but
113
also to minimize the surface provided to a potential attacker. </para>
115
The general case is to install the complete VirtualBox package. The
116
installation must be done with system privileges. All VirtualBox binaries
117
should be executed as a regular user and never as a privileged user.
120
The Oracle VM VirtualBox extension pack provides additional features
121
and must be downloaded and installed separately, see
122
<xref linkend="intro-installing"/>. As for the base package, the SHA256
123
checksum of the extension pack should be verified. As the installation
124
requires system privileges, VirtualBox will ask for the system
125
password during the installation of the extension pack.
130
<title>Post Installation Configuration</title>
132
Normally there is no post installation configuration of VirtualBox components
133
required. However, on Solaris and Linux hosts it is necessary to configure
134
the proper permissions for users executing VMs and who should be able to
135
access certain host resources. For instance, Linux users must be member of
136
the <emphasis>vboxusers</emphasis> group to be able to pass USB devices to a
137
guest. If a serial host interface should be accessed from a VM, the proper
138
permissions must be granted to the user to be able to access that device.
139
The same applies to other resources like raw partitions, DVD/CD drives
145
<title>Security Features</title>
146
<para>This section outlines the specific security mechanisms offered
147
by VirtualBox.</para>
150
<title>The Security Model</title>
152
One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate
153
a guest by executing it in a protected environment, a virtual machine,
154
running as a user process on the host operating system. The guest cannot
155
communicate directly with the hardware or other computers but only through
156
the VMM. The VMM provides emulated physical resources and devices to the
157
guest which are accessed by the guest operating system to perform the required
158
tasks. The VM settings control the resources provided to the guest, for example
159
the amount of guest memory or the number of guest processors, (see
160
<xref linkend="generalsettings"/>) and the enabled features for that guest
161
(for example remote control, certain screen settings and others).
166
<title>Secure Configuration of Virtual Machines</title>
168
Several aspects of a virtual machine configuration are subject to security
169
considerations.</para>
172
<title>Networking</title>
174
The default networking mode for VMs is NAT which means that
175
the VM acts like a computer behind a router, see
176
<xref linkend="network_nat"/>. The guest is part of a private
177
subnet belonging to this VM and the guest IP is not visible
178
from the outside. This networking mode works without
179
any additional setup and is sufficient for many purposes.
182
If bridged networking is used, the VM acts like a computer inside
183
the same network as the host, see <xref linkend="network_bridged"/>.
184
In this case, the guest has the same network access as the host and
185
a firewall might be necessary to protect other computers on the
186
subnet from a potential malicious guest as well as to protect the
187
guest from a direct access from other computers. In some cases it is
188
worth considering using a forwarding rule for a specific port in NAT
189
mode instead of using bridged networking.
192
Some setups do not require a VM to be connected to the public network
193
at all. Internal networking (see <xref linkend="network_internal"/>)
194
or host-only networking (see <xref linkend="network_hostonly"/>)
195
are often sufficient to connect VMs among each other or to connect
196
VMs only with the host but not with the public network.
201
<title>VRDP remote desktop authentication</title>
202
<para>When using the VirtualBox extension pack provided by Oracle
50
203
for VRDP remote desktop support, you can optionally use various
51
204
methods to configure RDP authentication. The "null" method is
52
205
very insecure and should be avoided in a public network.
53
206
See <xref linkend="vbox-auth" /> for details.</para>
210
<title>Clipboard</title>
212
The shared clipboard allows users to share data between the host and
213
the guest. Enabling the clipboard in "Bidirectional" mode allows
214
the guest to read and write the host clipboard. The "Host to guest"
215
mode and the "Guest to host" mode limit the access to one
216
direction. If the guest is able to access the host clipboard it
217
could also access sensitive data from the host which is shared over
223
<title>3D graphics acceleration</title>
224
<para>Enabling 3D graphics via the Guest Additions exposes the host
225
to additional security risks; see <xref
226
linkend="guestadd-3d" />.</para>
230
<title>CD/DVD passthrough</title>
231
<para>Enabling CD/DVD passthrough allows the guest to perform advanced
232
operations on the CD/DVD drive, see <xref linkend="storage-cds"/>.
233
This could induce a security risk as a guest could overwrite data
239
<title>USB passthrough</title>
241
Passing USB devices to the guest provides the guest full access
242
to these devices, see <xref linkend="settings-usb"/>. For instance,
243
in addition to reading and writing the content of the partitions
244
of an external USB disk the guest will be also able to read and
245
write the partition table and hardware data of that disk.
252
<title>Configuring and Using Authentication</title>
254
<para>The following components of VirtualBox can use passwords for
255
authentication:<itemizedlist>
57
258
<para>When using teleporting, passwords can optionally be used to
82
283
linkend="VirtualBoxAPI" />.</para>
84
285
</itemizedlist></para>
88
<title>Encryption</title>
90
<para>The following components of VirtualBox use encryption to protect
91
sensitive data:<itemizedlist>
290
<title>Configuring and Using Access Control</title>
294
<title>Configuring and Using Security Audit</title>
298
<title>Congiguring and Using Other Security Features</title>
303
<title>Potentially insecure operations</title>
305
<para>The following features of VirtualBox can present security
306
problems:<itemizedlist>
308
<para>Enabling 3D graphics via the Guest Additions exposes the host
309
to additional security risks; see <xref
310
linkend="guestadd-3d" />.</para>
314
<para>When teleporting a machine, the data stream through which the
315
machine's memory contents are transferred from one host to another
316
is not encrypted. A third party with access to the network through
317
which the data is transferred could therefore intercept that
318
data. An SSH tunnel could be used to secure the connection between
319
the two hosts. But when considering teleporting a VM over an untrusted
320
network the first question to answer is how both VMs can securely
321
access the same virtual disk image(s) with a reasonable performance. </para>
325
<para>When using the VirtualBox web service to control a VirtualBox
326
host remotely, connections to the web service (through which the API
327
calls are transferred via SOAP XML) are not encrypted, but use plain
328
HTTP. This is a potential security risk! For details about the web
329
service, please see <xref linkend="VirtualBoxAPI" />.</para>
333
<para>Traffic sent over a UDP Tunnel network attachment is not
334
encrypted. You can either encrypt it on the host network level (with
335
IPsec), or use encrypted protocols in the guest network (such as
336
SSH). The security properties are similar to bridged Ethernet.</para>
338
</itemizedlist></para>
342
<title>Encryption</title>
344
<para>The following components of VirtualBox use encryption to protect
345
sensitive data:<itemizedlist>
93
347
<para>When using the VirtualBox extension pack provided by Oracle
94
348
for VRDP remote desktop support, RDP data can optionally be