Page 1 of 2

Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 16:32
by poncho524
Adding an option to disable hardening would be fantastic as adding this "feature" seems to cause problems for a lot of people.

Let those who are concerned about "hardening" keep it enabled, for the rest of us who understand our host systems, let us bypass that check.

Or... does anyone want to help put a team together to fork VB and make a build that doesn't include these "features"?

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 16:39
by Perryg
That would be a very bad idea. I for one would not want to be on the side that gets sued.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 16:43
by poncho524
Perryg wrote:That would be a very bad idea. I for one would not want to be on the side that gets sued.

Sued by whom? For what exactly?

I can see Oracle wanting their products all buttoned up just to tell a good story and sell to their paying clients that demand this kind of requirment. But VBox is also sort of FOSS, which allows users to see what the code is doing... and it isn't standard practice that applications act this way.

If a host system is compromised, then thats not the fault of the residing applications.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 16:54
by socratis
poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing

Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 17:00
by poncho524
socratis wrote:
poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing

Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.

Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 17:01
by Perryg
I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 17:09
by poncho524
Perryg wrote:I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?


Ok, then help us all understand. This is FOSS, why is the "why" being kept so secret? Instead of dodging the questions, educate us all, please.

I can appreciate the idea of hardening (I'm a sw developer, I try to do these things too).

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 17:12
by Perryg
If you are a developer then you already know why the reason is not being published. Exploits are in the wild and no one wants to go there.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 18:19
by michaln
poncho524 wrote:Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)

Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 18:30
by poncho524
michaln wrote:Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.

Vulnerable to DLL injection? Most applications are. And most attempts to protect against it are reactionary.

Like I said, if you trust your host, and your AV (which usually monitors for DLL injection), then the "known exploits" are the same ones known for almost all apps.

But just as Windows warns you about unsigned drivers, it still gives you the option to install them anyway; why wouldn't VBox offer the same option?

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 18:38
by Perryg
This topic has gone from a suggestion to a discussion. Moving to using VirtualBox.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 18:40
by Perryg
Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 18:53
by michaln
I agree with Perry that discussion appears to be pointless.

If you want to build and distribute VirtualBox for Windows yourself, go for it. And good luck, you'll need it.

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 19:37
by poncho524
Perryg wrote:Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.

Well your attempts to educate have been poor indeed.

You could say something like:
(a) The vulnerability allows for arbitrary code to be run with privileges on the Host OS, given that the Host OS has already been compromised.
[or] (b) This could allow crossover from guest to host (if thats true, that would be a Big Deal)
[or] (c) There's a big problem where VB opens all ports and allows any remote attacker access to execute arbitrary code on the Host OS (which i'm sure isn't true).

So what is the general thing thats being fixed? I'm not looking for specific details about How to perform an exploit; just what was the general problem and general goal?

I'm not trying to argue. I'm just frustrated at the complete lack of information. This wasn't mentioned in the release notes AT ALL. Why? Usually release notes want to take credit for patching a security hole.

I'm mainly concerned that this was a hasty way to deal with a perceived problem (an inherent problem of Windows) that ultimately makes the application less usable. Are the developers going to have to explicitly white-list every single user request? Is this going to be a huge maintenance problem with little to no payoff (since you can't control what happens on the Host OS)?

Re: Allow option to disable "hardening" introduced in 4.3.14

PostPosted: 31. Jul 2014, 19:57
by michaln
The problem was, in a nutshell, privilege escalation on the host. In other words, trouble caused by a malicious user or malicious software running with user privileges.