6.3. Security Features

This section outlines the specific security mechanisms offered by Oracle VM VirtualBox.

6.3.1. The Security Model

One property of virtual machine monitors (VMMs) like Oracle VM VirtualBox is to encapsulate a guest by executing it in a protected environment, a virtual machine, running as a user process on the host operating system. The guest cannot communicate directly with the hardware or other computers but only through the VMM. The VMM provides emulated physical resources and devices to the guest which are accessed by the guest operating system to perform the required tasks. The VM settings control the resources provided to the guest, for example the amount of guest memory or the number of guest processors and the enabled features for that guest. For example remote control, certain screen settings and others. See General Settings.

6.3.2. Secure Configuration of Virtual Machines

Several aspects of a virtual machine configuration are subject to security considerations.

6.3.2.1. Networking

The default networking mode for VMs is NAT which means that the VM acts like a computer behind a router, see Network Address Translation (NAT). The guest is part of a private subnet belonging to this VM and the guest IP is not visible from the outside. This networking mode works without any additional setup and is sufficient for many purposes.

If bridged networking is used, the VM acts like a computer inside the same network as the host, see Bridged Networking. In this case, the guest has the same network access as the host and a firewall might be necessary to protect other computers on the subnet from a potential malicious guest as well as to protect the guest from a direct access from other computers. In some cases it is worth considering using a forwarding rule for a specific port in NAT mode instead of using bridged networking.

Some setups do not require a VM to be connected to the public network at all. Internal networking, see Internal Networking, or host-only networking, see Host-Only Networking, are often sufficient to connect VMs among each other or to connect VMs only with the host but not with the public network.

6.3.2.2. VRDP Remote Desktop Authentication

When using the Oracle VM VirtualBox Extension Pack provided by Oracle for VRDP remote desktop support, you can optionally use various methods to configure RDP authentication. The "null" method is very insecure and should be avoided in a public network. See Section 1.1.5, “RDP Authentication”.

6.3.2.3. Clipboard

The shared clipboard enables users to share data between the host and the guest. Enabling the clipboard in Bidirectional mode enables the guest to read and write the host clipboard. The Host to Guest mode and the Guest to Host mode limit the access to one direction. If the guest is able to access the host clipboard it can also potentially access sensitive data from the host which is shared over the clipboard.

If the guest is able to read from and/or write to the host clipboard then a remote user connecting to the guest over the network will also gain this ability, which may not be desirable. As a consequence, the shared clipboard is disabled for new machines.

6.3.2.4. Shared Folders

If any host folder is shared with the guest then a remote user connected to the guest over the network can access these files too as the folder sharing mechanism cannot be selectively disabled for remote users.

6.3.2.5. 3D Graphics Acceleration

Enabling 3D graphics using the Guest Additions exposes the host to additional security risks. See Hardware 3D Acceleration (OpenGL and Direct3D 8/9).

6.3.2.6. CD/DVD Passthrough

Enabling CD/DVD passthrough enables the guest to perform advanced operations on the CD/DVD drive, see CD/DVD Support. This could induce a security risk as a guest could overwrite data on a CD/DVD medium.

6.3.2.7. USB Passthrough

Passing USB devices to the guest provides the guest full access to these devices, see USB Settings. For instance, in addition to reading and writing the content of the partitions of an external USB disk the guest will be also able to read and write the partition table and hardware data of that disk.

6.3.3. Configuring and Using Authentication

The following components of Oracle VM VirtualBox can use passwords for authentication:

  • When using remote iSCSI storage and the storage server requires authentication, an initiator secret can optionally be supplied with the VBoxManage storageattach command. As long as no settings password is provided, by using the command line option --settingspwfile, then this secret is stored unencrypted in the machine configuration and is therefore potentially readable on the host. See iSCSI Servers and VBoxManage storageattach.

  • When using the Oracle VM VirtualBox web service to control an Oracle VM VirtualBox host remotely, connections to the web service are authenticated in various ways. This is described in detail in the Oracle VM VirtualBox Software Development Kit (SDK) reference. See Chapter 4, Oracle VM VirtualBox Programming Interfaces.

6.3.4. Potentially Insecure Operations

The following features of Oracle VM VirtualBox can present security problems:

  • Enabling 3D graphics using the Guest Additions exposes the host to additional security risks. See Hardware 3D Acceleration (OpenGL and Direct3D 8/9).

  • When teleporting a machine, the data stream through which the machine's memory contents are transferred from one host to another is not encrypted. A third party with access to the network through which the data is transferred could therefore intercept that data. An SSH tunnel could be used to secure the connection between the two hosts. But when considering teleporting a VM over an untrusted network the first question to answer is how both VMs can securely access the same virtual disk image with a reasonable performance.

  • When Page Fusion, see Page Fusion, is enabled, it is possible that a side-channel opens up that enables a malicious guest to determine the address space of another VM running on the same host layout. For example, where DLLs are typically loaded. This information leak in itself is harmless, however the malicious guest may use it to optimize attack against that VM through unrelated attack vectors. It is recommended to only enable Page Fusion if you do not think this is a concern in your setup.

  • When using the Oracle VM VirtualBox web service to control an Oracle VM VirtualBox host remotely, connections to the web service, over which the API calls are transferred using SOAP XML, are not encrypted. They use plain HTTP by default. This is a potential security risk. For details about the web service, see Chapter 4, Oracle VM VirtualBox Programming Interfaces.

    The web services are not started by default. See Section 2.19, “Starting the Oracle VM VirtualBox Web Service Automatically” to find out how to start this service and how to enable SSL/TLS support. It has to be started as a regular user and only the VMs of that user can be controlled. By default, the service binds to localhost preventing any remote connection.

  • Traffic sent over a UDP Tunnel network attachment is not encrypted. You can either encrypt it on the host network level, with IPsec, or use encrypted protocols in the guest network, such as SSH. The security properties are similar to bridged Ethernet.

  • Because of shortcomings in older Windows versions, using Oracle VM VirtualBox on Windows versions older than Vista with Service Pack 1 is not recommended.

6.3.5. Encryption

The following components of Oracle VM VirtualBox use encryption to protect sensitive data:

  • When using the Oracle VM VirtualBox Extension Pack provided by Oracle for VRDP remote desktop support, RDP data can optionally be encrypted. See Section 1.1.6, “RDP Encryption”. Only the Enhanced RDP Security method (RDP5.2) with TLS protocol provides a secure connection. Standard RDP Security (RDP4 and RDP5.1) is vulnerable to a man-in-the-middle attack.