Allow option to disable "hardening" introduced in 4.3.14

This is for discussing general topics about how to use VirtualBox.

Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 16:32

Adding an option to disable hardening would be fantastic as adding this "feature" seems to cause problems for a lot of people.

Let those who are concerned about "hardening" keep it enabled, for the rest of us who understand our host systems, let us bypass that check.

Or... does anyone want to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 31. Jul 2014, 16:39

That would be a very bad idea. I for one would not want to be on the side that gets sued.
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 16:43

Perryg wrote:That would be a very bad idea. I for one would not want to be on the side that gets sued.

Sued by whom? For what exactly?

I can see Oracle wanting their products all buttoned up just to tell a good story and sell to their paying clients that demand this kind of requirment. But VBox is also sort of FOSS, which allows users to see what the code is doing... and it isn't standard practice that applications act this way.

If a host system is compromised, then thats not the fault of the residing applications.
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby socratis » 31. Jul 2014, 16:54

poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing

Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
socratis
Site Moderator
 
Posts: 26871
Joined: 22. Oct 2010, 11:03
Location: Greece
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 17:00

socratis wrote:
poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing

Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.

Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 31. Jul 2014, 17:01

I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 17:09

Perryg wrote:I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?


Ok, then help us all understand. This is FOSS, why is the "why" being kept so secret? Instead of dodging the questions, educate us all, please.

I can appreciate the idea of hardening (I'm a sw developer, I try to do these things too).
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 31. Jul 2014, 17:12

If you are a developer then you already know why the reason is not being published. Exploits are in the wild and no one wants to go there.
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby michaln » 31. Jul 2014, 18:19

poncho524 wrote:Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)

Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.
michaln
Oracle Corporation
 
Posts: 2962
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 18:30

michaln wrote:Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.

Vulnerable to DLL injection? Most applications are. And most attempts to protect against it are reactionary.

Like I said, if you trust your host, and your AV (which usually monitors for DLL injection), then the "known exploits" are the same ones known for almost all apps.

But just as Windows warns you about unsigned drivers, it still gives you the option to install them anyway; why wouldn't VBox offer the same option?
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 31. Jul 2014, 18:38

This topic has gone from a suggestion to a discussion. Moving to using VirtualBox.
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby Perryg » 31. Jul 2014, 18:40

Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.
Perryg
Site Moderator
 
Posts: 34373
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby michaln » 31. Jul 2014, 18:53

I agree with Perry that discussion appears to be pointless.

If you want to build and distribute VirtualBox for Windows yourself, go for it. And good luck, you'll need it.
michaln
Oracle Corporation
 
Posts: 2962
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby poncho524 » 31. Jul 2014, 19:37

Perryg wrote:Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.

Well your attempts to educate have been poor indeed.

You could say something like:
(a) The vulnerability allows for arbitrary code to be run with privileges on the Host OS, given that the Host OS has already been compromised.
[or] (b) This could allow crossover from guest to host (if thats true, that would be a Big Deal)
[or] (c) There's a big problem where VB opens all ports and allows any remote attacker access to execute arbitrary code on the Host OS (which i'm sure isn't true).

So what is the general thing thats being fixed? I'm not looking for specific details about How to perform an exploit; just what was the general problem and general goal?

I'm not trying to argue. I'm just frustrated at the complete lack of information. This wasn't mentioned in the release notes AT ALL. Why? Usually release notes want to take credit for patching a security hole.

I'm mainly concerned that this was a hasty way to deal with a perceived problem (an inherent problem of Windows) that ultimately makes the application less usable. Are the developers going to have to explicitly white-list every single user request? Is this going to be a huge maintenance problem with little to no payoff (since you can't control what happens on the Host OS)?
poncho524
 
Posts: 45
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Postby michaln » 31. Jul 2014, 19:57

The problem was, in a nutshell, privilege escalation on the host. In other words, trouble caused by a malicious user or malicious software running with user privileges.
michaln
Oracle Corporation
 
Posts: 2962
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all

Next

Return to Using VirtualBox

Who is online

Users browsing this forum: No registered users and 18 guests