Security Implications of 3D

[DNS]

Hi, when reading the documentation I came across this warning:

Note
Enabling 3D acceleration may expose security holes to malicious software running in the guest. The third-party code that VirtualBox uses for this purpose (Chromium) is not hardened enough to prevent every risky 3D operation on the host.

Will this always be the case with 3D support or is it the state of things until the experimental label is dropped? Also is it generally the same issue for all virtualization products (i.e. VMWare), or just Virtualbox's current implementation of it that makes it vulnerable?

I would like all the functionality of VBox to be safe to use, regardless of what type of programs (even potentially malicious) that I happen to be dealing with in the VM.

[BillG]

As I see it this will always be the case. For this to work, the vm must run some processes in the host OS. That is the only way to get access to the physical graphics card in the host machine.

I have no idea how VMWare acesses the physical hardware from the guest. I never use VMWare (and one reason for that is that it installs stuff in the host OS to make things easier for the guest to use the physical hardware).

I don't use 3D in VirtualBox either.

[mpack]

This is one of those theoretical-only threats anyway. I'll worry when I hear of one case where something nasty actually happened outside a lab or other artficial scenario.

[DNS]

Oh ok, so its an insignificant theoretical weakness of design. The way its described makes it interpreted as a specific downside to Chromium.

[quote=BillG]I never use VMWare (and one reason for that is that it installs stuff in the host OS to make things easier for the guest to use the physical hardware).[/quote]

That must make it more vulnerable to bypassing, is that why you avoid it?

[BillG]

As mpack said, these things are theoretical. I have never heard of any actual problem.

I have no idea how good or bad the code added by VMWare is. I don't have a need to run VMWare and I don't like the way it works, so I don't use it. Much the same as I gave up on Norton years ago when it added a lot of undocumented stuff.

[Perryg]

Much the same as I gave up on Norton years ago when it added a lot of undocumented stuff.

I knew Peter way back when (a long time ago in a far away place) and his software was rock solid and very usable. Then he sold out and well it went down hill from there.

To the OP. These kinds of warnings are usually a CYA thing. Just in case. I too have never seen or heard of an issue, but by warning of the possible issue this exonerates the developer. They call it legalese.

[vbox4me2]

I knew Peter way back when (a long time ago in a far away place) and his software was rock solid and very usable. Then he sold out and well it went down hill from there.

We could have been sitting at the same table and never knew each other... Still got the stuff I beta'd for him which still works 21 years later...

nu5.jpg (204.38 KiB) Viewed 1817 times