Allow option to disable "hardening" introduced in 4.3.14

This is for discussing general topics about how to use VirtualBox.
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

Adding an option to disable hardening would be fantastic as adding this "feature" seems to cause problems for a lot of people.

Let those who are concerned about "hardening" keep it enabled, for the rest of us who understand our host systems, let us bypass that check.

Or... does anyone want to help put a team together to fork VB and make a build that doesn't include these "features"?
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by Perryg »

That would be a very bad idea. I for one would not want to be on the side that gets sued.
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

Perryg wrote:That would be a very bad idea. I for one would not want to be on the side that gets sued.
Sued by whom? For what exactly?

I can see Oracle wanting their products all buttoned up just to tell a good story and sell to their paying clients that demand this kind of requirment. But VBox is also sort of FOSS, which allows users to see what the code is doing... and it isn't standard practice that applications act this way.

If a host system is compromised, then thats not the fault of the residing applications.
socratis
Site Moderator
Posts: 27330
Joined: 22. Oct 2010, 11:03
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Win(*>98), Linux*, OSX>10.5
Location: Greece

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by socratis »

poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing
Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

socratis wrote:
poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing
Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.
Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by Perryg »

I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

Perryg wrote:I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.

Do you install the security updates to your host now?
Ok, then help us all understand. This is FOSS, why is the "why" being kept so secret? Instead of dodging the questions, educate us all, please.

I can appreciate the idea of hardening (I'm a sw developer, I try to do these things too).
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by Perryg »

If you are a developer then you already know why the reason is not being published. Exploits are in the wild and no one wants to go there.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by michaln »

poncho524 wrote:Right, I've looked at the code. I just don't have the Microsoft tools to rebuild :( otherwise I would and offer it to the world ;)
Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

michaln wrote:Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular :) You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.

Mind you, you can do this and Oracle can't stop you.
Vulnerable to DLL injection? Most applications are. And most attempts to protect against it are reactionary.

Like I said, if you trust your host, and your AV (which usually monitors for DLL injection), then the "known exploits" are the same ones known for almost all apps.

But just as Windows warns you about unsigned drivers, it still gives you the option to install them anyway; why wouldn't VBox offer the same option?
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by Perryg »

This topic has gone from a suggestion to a discussion. Moving to using VirtualBox.
Perryg
Site Moderator
Posts: 34369
Joined: 6. Sep 2008, 22:55
Primary OS: Linux other
VBox Version: OSE self-compiled
Guest OSses: *NIX

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by Perryg »

Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by michaln »

I agree with Perry that discussion appears to be pointless.

If you want to build and distribute VirtualBox for Windows yourself, go for it. And good luck, you'll need it.
poncho524
Posts: 50
Joined: 5. Mar 2008, 17:38

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by poncho524 »

Perryg wrote:Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.
Well your attempts to educate have been poor indeed.

You could say something like:
(a) The vulnerability allows for arbitrary code to be run with privileges on the Host OS, given that the Host OS has already been compromised.
[or] (b) This could allow crossover from guest to host (if thats true, that would be a Big Deal)
[or] (c) There's a big problem where VB opens all ports and allows any remote attacker access to execute arbitrary code on the Host OS (which i'm sure isn't true).

So what is the general thing thats being fixed? I'm not looking for specific details about How to perform an exploit; just what was the general problem and general goal?

I'm not trying to argue. I'm just frustrated at the complete lack of information. This wasn't mentioned in the release notes AT ALL. Why? Usually release notes want to take credit for patching a security hole.

I'm mainly concerned that this was a hasty way to deal with a perceived problem (an inherent problem of Windows) that ultimately makes the application less usable. Are the developers going to have to explicitly white-list every single user request? Is this going to be a huge maintenance problem with little to no payoff (since you can't control what happens on the Host OS)?
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Allow option to disable "hardening" introduced in 4.3.14

Post by michaln »

The problem was, in a nutshell, privilege escalation on the host. In other words, trouble caused by a malicious user or malicious software running with user privileges.
Locked