Several things to make virtualbox more secure.
-
- Posts: 2
- Joined: 17. Jun 2016, 16:23
Several things to make virtualbox more secure.
Hi. I suggest that Virtualbox can be compiled with PIE(Position independent executable), SSP(Stack smashing protection), RELRO, BIND_NOW to make it harder to exploit even if there is 0-day vulnerability. Google Chrome on Linux and Vmware Player has enforced these protections already.
Re: Several things to make virtualbox more secure.
Feel free (not only you, everyone is welcome!) to contribute. PIE already should work (disabling in the few places where it can't work).
Oh, and where's the evidence that VMware Player is using all the preventive security measures you're listing? Just curious.
Oh, and where's the evidence that VMware Player is using all the preventive security measures you're listing? Just curious.
-
- Posts: 2
- Joined: 17. Jun 2016, 16:23
Re: Several things to make virtualbox more secure.
I'm going to install a VMM on my hardened gentoo but I afraid a VMM without these security measures will ruin my system because there will be several processes with root permission and kernel modules. So I downloaded Virtualbox and Vmware Player and checked binaries in them by checksec (It can be downloaded from github: slimm609/checksec.sh) I checked vmware's installer and checksec said:klaus wrote:Feel free (not only you, everyone is welcome!) to contribute. PIE already should work (disabling in the few places where it can't work).
Oh, and where's the evidence that VMware Player is using all the preventive security measures you're listing? Just curious.
Code: Select all
COMMAND PID RELRO STACK CANARY SECCOMP NX/PaX PIE FORTIFY
vmis-launcher 13704 Full RELRO Canary found No Seccomp PaX enabled PIE enabled Yes
Code: Select all
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 5 VirtualBox
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 5 VBoxNetNAT
Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 13 VBoxSVC
I know it's difficult to enforce all these measures because it's VMM. What I want to convey is that Vmware and Google has already adjusted their toolchains and we can do it too.