Table of Contents
The following principles are fundamental to using any application securely.
One of the principles of good security practise is to keep all software versions and patches up to date. Activate the VirtualBox update notification to get notified when a new VirtualBox release is available. When updating VirtualBox, do not forget to update the Guest Additions. Keep the host operating system as well as the guest operating system up to date.
Use proper means, for instance a firewall, to protect your computer and your guest(s) from accesses from the outside. Choosing the proper networking mode for VMs helps to separate host networking from the guest and vice versa.
The principle of least privilege states that users should be given the least amount of privilege necessary to perform their jobs. Always execute VirtualBox as a regular user. We strongly discourage anyone from executing VirtualBox with system privileges.
Choose restrictive permissions when creating configuration files, for instance when creating /etc/default/virtualbox, see the section called “Automatic installation options”. Mode 0600 would be preferred.
System security builds on three pillars: good security protocols, proper system configuration and system monitoring. Auditing and reviewing audit records address the third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this document and regularly monitor audit records.
Oracle continually improves its software and documentation. Check this note note yearly for revisions.
The VirtualBox base package should be downloaded only from a trusted source, for instance the official website http://www.virtualbox.org. The integrity of the package should be verified with the provided SHA256 checksum which can be found on the official website.
General VirtualBox installation instructions for the supported hosts can be found in Chapter 2, Installation details.
On Windows hosts, the installer allows for disabling USB support, support for bridged networking, support for host-only networking and the Python language bindings, see the section called “Installing on Windows hosts”. All these features are enabled by default but disabling some of them could be appropriate if the corresponding functionality is not required by any virtual machine. The Python language bindings are only required if the VirtualBox API is to be used by external Python applications. In particular USB support and support for the two networking modes require the installation of Windows kernel drivers on the host. Therefore disabling those selected features can not only be used to restrict the user to certain functionality but also to minimize the surface provided to a potential attacker.
The general case is to install the complete VirtualBox package. The installation must be done with system privileges. All VirtualBox binaries should be executed as a regular user and never as a privileged user.
The Oracle VM VirtualBox extension pack provides additional features and must be downloaded and installed separately, see the section called “Installing VirtualBox and extension packs”. As for the base package, the SHA256 checksum of the extension pack should be verified. As the installation requires system privileges, VirtualBox will ask for the system password during the installation of the extension pack.
Normally there is no post installation configuration of VirtualBox components required. However, on Solaris and Linux hosts it is necessary to configure the proper permissions for users executing VMs and who should be able to access certain host resources. For instance, Linux users must be member of the vboxusers group to be able to pass USB devices to a guest. If a serial host interface should be accessed from a VM, the proper permissions must be granted to the user to be able to access that device. The same applies to other resources like raw partitions, DVD/CD drives and sound devices.
This section outlines the specific security mechanisms offered by VirtualBox.
One property of virtual machine monitors (VMMs) like VirtualBox is to encapsulate a guest by executing it in a protected environment, a virtual machine, running as a user process on the host operating system. The guest cannot communicate directly with the hardware or other computers but only through the VMM. The VMM provides emulated physical resources and devices to the guest which are accessed by the guest operating system to perform the required tasks. The VM settings control the resources provided to the guest, for example the amount of guest memory or the number of guest processors, (see the section called “General settings”) and the enabled features for that guest (for example remote control, certain screen settings and others).
Several aspects of a virtual machine configuration are subject to security considerations.
The default networking mode for VMs is NAT which means that the VM acts like a computer behind a router, see the section called “Network Address Translation (NAT)”. The guest is part of a private subnet belonging to this VM and the guest IP is not visible from the outside. This networking mode works without any additional setup and is sufficient for many purposes.
If bridged networking is used, the VM acts like a computer inside the same network as the host, see the section called “Bridged networking”. In this case, the guest has the same network access as the host and a firewall might be necessary to protect other computers on the subnet from a potential malicious guest as well as to protect the guest from a direct access from other computers. In some cases it is worth considering using a forwarding rule for a specific port in NAT mode instead of using bridged networking.
Some setups do not require a VM to be connected to the public network at all. Internal networking (see the section called “Internal networking”) or host-only networking (see the section called “Host-only networking”) are often sufficient to connect VMs among each other or to connect VMs only with the host but not with the public network.
When using the VirtualBox extension pack provided by Oracle for VRDP remote desktop support, you can optionally use various methods to configure RDP authentication. The "null" method is very insecure and should be avoided in a public network. See the section called “RDP authentication” for details.
The shared clipboard allows users to share data between the host and the guest. Enabling the clipboard in "Bidirectional" mode allows the guest to read and write the host clipboard. The "Host to guest" mode and the "Guest to host" mode limit the access to one direction. If the guest is able to access the host clipboard it can also potentially access sensitive data from the host which is shared over the clipboard.
If the guest is able to read from and/or write to the host clipboard then a remote user connecting to the guest over the network will also gain this ability, which may not be desirable. As a consequence, the shared clipboard is disabled for new machines.
If any host folder is shared with the guest then a remote user connected to the guest over the network can access these files too as the folder sharing mechanism cannot be selectively disabled for remote users.
Enabling 3D graphics via the Guest Additions exposes the host to additional security risks; see the section called “Hardware 3D acceleration (OpenGL and Direct3D 8/9)”.
Enabling CD/DVD passthrough allows the guest to perform advanced operations on the CD/DVD drive, see the section called “CD/DVD support”. This could induce a security risk as a guest could overwrite data on a CD/DVD medium.
Passing USB devices to the guest provides the guest full access to these devices, see the section called “USB settings”. For instance, in addition to reading and writing the content of the partitions of an external USB disk the guest will be also able to read and write the partition table and hardware data of that disk.
The following components of VirtualBox can use passwords for authentication:
When using remote iSCSI storage and the storage server
requires authentication, an initiator secret can optionally be supplied
with the VBoxManage storageattach
command. As long as no settings password is provided (command line
option
--settingspwfile
, this secret is stored unencrypted in the machine configuration and is therefore potentially readable on the host. See the section called “iSCSI servers” and the section called “VBoxManage storageattach”.
When using the VirtualBox web service to control a VirtualBox host remotely, connections to the web service are authenticated in various ways. This is described in detail in the VirtualBox Software Development Kit (SDK) reference; please see Chapter 11, VirtualBox programming interfaces.
The following features of VirtualBox can present security problems:
Enabling 3D graphics via the Guest Additions exposes the host to additional security risks; see the section called “Hardware 3D acceleration (OpenGL and Direct3D 8/9)”.
When teleporting a machine, the data stream through which the machine's memory contents are transferred from one host to another is not encrypted. A third party with access to the network through which the data is transferred could therefore intercept that data. An SSH tunnel could be used to secure the connection between the two hosts. But when considering teleporting a VM over an untrusted network the first question to answer is how both VMs can securely access the same virtual disk image(s) with a reasonable performance.
When using the VirtualBox web service to control a VirtualBox host remotely, connections to the web service (through which the API calls are transferred via SOAP XML) are not encrypted, but use plain HTTP by default. This is a potential security risk! For details about the web service, please see Chapter 11, VirtualBox programming interfaces.
The web services are not started by default. Please refer to the section called “Starting the VirtualBox web service automatically” to find out how to start this service and how to enable SSL/TLS support. It has to be started as a regular user and only the VMs of that user can be controled. By default, the service binds to localhost preventing any remote connection.
Traffic sent over a UDP Tunnel network attachment is not encrypted. You can either encrypt it on the host network level (with IPsec), or use encrypted protocols in the guest network (such as SSH). The security properties are similar to bridged Ethernet.
The following components of VirtualBox use encryption to protect sensitive data:
When using the VirtualBox extension pack provided by Oracle for VRDP remote desktop support, RDP data can optionally be encrypted. See the section called “RDP encryption” for details. Only the Enhanced RDP Security method (RDP5.2) with TLS protocol provides a secure connection. Standard RDP Security (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle attack.