Allow option to disable "hardening" introduced in 4.3.14
Allow option to disable "hardening" introduced in 4.3.14
Adding an option to disable hardening would be fantastic as adding this "feature" seems to cause problems for a lot of people.
Let those who are concerned about "hardening" keep it enabled, for the rest of us who understand our host systems, let us bypass that check.
Or... does anyone want to help put a team together to fork VB and make a build that doesn't include these "features"?
Let those who are concerned about "hardening" keep it enabled, for the rest of us who understand our host systems, let us bypass that check.
Or... does anyone want to help put a team together to fork VB and make a build that doesn't include these "features"?
-
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Allow option to disable "hardening" introduced in 4.3.14
That would be a very bad idea. I for one would not want to be on the side that gets sued.
Re: Allow option to disable "hardening" introduced in 4.3.14
Sued by whom? For what exactly?Perryg wrote:That would be a very bad idea. I for one would not want to be on the side that gets sued.
I can see Oracle wanting their products all buttoned up just to tell a good story and sell to their paying clients that demand this kind of requirment. But VBox is also sort of FOSS, which allows users to see what the code is doing... and it isn't standard practice that applications act this way.
If a host system is compromised, then thats not the fault of the residing applications.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: Allow option to disable "hardening" introduced in 4.3.14
poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?
Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Re: Allow option to disable "hardening" introduced in 4.3.14
Right, I've looked at the code. I just don't have the Microsoft tools to rebuild otherwise I would and offer it to the worldsocratis wrote:poncho524 wrote:to help put a team together to fork VB and make a build that doesn't include these "features"?Exactly correct on the second sentence, which means that you do not need a team or a fork. Just look through the code for VBOX_WITH_HARDENING. You should be able to figure it out in 10 minutes.poncho524 wrote:VBox is also sort of FOSS, which allows users to see what the code is doing
-
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Allow option to disable "hardening" introduced in 4.3.14
I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.
Do you install the security updates to your host now?
Do you install the security updates to your host now?
Re: Allow option to disable "hardening" introduced in 4.3.14
Ok, then help us all understand. This is FOSS, why is the "why" being kept so secret? Instead of dodging the questions, educate us all, please.Perryg wrote:I can't believe you understand why this is being done or the ramifications if it were not. Any intelligent person would want this to happen, even if it is a pain in the behind for a while.
Do you install the security updates to your host now?
I can appreciate the idea of hardening (I'm a sw developer, I try to do these things too).
-
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Allow option to disable "hardening" introduced in 4.3.14
If you are a developer then you already know why the reason is not being published. Exploits are in the wild and no one wants to go there.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Allow option to disable "hardening" introduced in 4.3.14
Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.poncho524 wrote:Right, I've looked at the code. I just don't have the Microsoft tools to rebuild otherwise I would and offer it to the world
Mind you, you can do this and Oracle can't stop you.
Re: Allow option to disable "hardening" introduced in 4.3.14
Vulnerable to DLL injection? Most applications are. And most attempts to protect against it are reactionary.michaln wrote:Yes, with a footnote that your build is vulnerable to known exploits and that's what makes it different from Oracle's builds. I'm sure that would be very popular You'd also need (for starters) a driver signing key from VeriSign or one of the other companies, which would probably set you back a few hundred dollars a year.
Mind you, you can do this and Oracle can't stop you.
Like I said, if you trust your host, and your AV (which usually monitors for DLL injection), then the "known exploits" are the same ones known for almost all apps.
But just as Windows warns you about unsigned drivers, it still gives you the option to install them anyway; why wouldn't VBox offer the same option?
-
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Allow option to disable "hardening" introduced in 4.3.14
This topic has gone from a suggestion to a discussion. Moving to using VirtualBox.
-
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Allow option to disable "hardening" introduced in 4.3.14
Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Allow option to disable "hardening" introduced in 4.3.14
I agree with Perry that discussion appears to be pointless.
If you want to build and distribute VirtualBox for Windows yourself, go for it. And good luck, you'll need it.
If you want to build and distribute VirtualBox for Windows yourself, go for it. And good luck, you'll need it.
Re: Allow option to disable "hardening" introduced in 4.3.14
Well your attempts to educate have been poor indeed.Perryg wrote:Most applications don't do what VirtualBox does and there is simply no comparison. Beyond that I see there is no convincing going to take place so I am resigning my attempt to educate on this subject.
You could say something like:
(a) The vulnerability allows for arbitrary code to be run with privileges on the Host OS, given that the Host OS has already been compromised.
[or] (b) This could allow crossover from guest to host (if thats true, that would be a Big Deal)
[or] (c) There's a big problem where VB opens all ports and allows any remote attacker access to execute arbitrary code on the Host OS (which i'm sure isn't true).
So what is the general thing thats being fixed? I'm not looking for specific details about How to perform an exploit; just what was the general problem and general goal?
I'm not trying to argue. I'm just frustrated at the complete lack of information. This wasn't mentioned in the release notes AT ALL. Why? Usually release notes want to take credit for patching a security hole.
I'm mainly concerned that this was a hasty way to deal with a perceived problem (an inherent problem of Windows) that ultimately makes the application less usable. Are the developers going to have to explicitly white-list every single user request? Is this going to be a huge maintenance problem with little to no payoff (since you can't control what happens on the Host OS)?
-
- Oracle Corporation
- Posts: 2973
- Joined: 19. Dec 2007, 15:45
- Primary OS: MS Windows 7
- VBox Version: PUEL
- Guest OSses: Any and all
- Contact:
Re: Allow option to disable "hardening" introduced in 4.3.14
The problem was, in a nutshell, privilege escalation on the host. In other words, trouble caused by a malicious user or malicious software running with user privileges.