0day Protection

[DNS]

Can I use Virtualbox as a safe sandbox on an older unsupported windows OS: ie. one that stopped receiving security updates? Can I assume that kernel 0days that bypass all security software cannot affect the host as long as the VMM software is kept updated?

[mpack]

If you are looking for guarantees you won't get any here! IMHO if you understand the technology then it's obvious that guest apps can't access the host unless you provide the means, e.g. by setting up shared folders containing files which could be infected, or via the network if a virtual network connection has been provided along with weak protocols.

I'm a little wary that VBox v4 and later has included guest additions which allow file copying between guest and host, via a channel which does not require a conventional network connection. However, although I've not not studied it in detail, it's my understanding that this can only be initiated using the VBoxManage app on the host side - there is no vulnerable API on the guest side. So, in theory a VirtualBox-aware virus on your host side could infect your guest, but not the other way around.

[DNS]

Thanks for the reply Mpack. I was asking this question because of the statement I read over in the manual under General Security Principles section:

Keep Software Up To Date
One of the principles of good security practise is to keep all software versions and patches up to date. Activate the VirtualBox update notification to get notified when a new VirtualBox release is available. When updating VirtualBox, do not forget to update the Guest Additions. Keep the host operating system as well as the guest operating system up to date.

It's good to know that VBox is a way to bring old OSs into safe use even if Microsoft pulls the plug on them.

I'm a little wary that VBox v4 and later has included guest additions which allow file copying between guest and host, via a channel which does not require a conventional network connection. However, although I've not not studied it in detail, it's my understanding that this can only be initiated using the VBoxManage app on the host side - there is no vulnerable API on the guest side. So, in theory a VirtualBox-aware virus on your host side could infect your guest, but not the other way around.

Yes I was worried about that too, this also seems to be a potential hole in VMware products where they have an enabled I/O backdoor in their products be default, that you have to seal off manually. While I wanted drag and drop for a long while, I started to dislike the idea when I understood the potential security implications that it has. Good to know that the VBox team had the common sense to allow this in cases sepcifically initiated by the user.

I always thought that if the host was comrpomised, nothing on the machine stood a chance, even virtual machines. Since the host has access to all resources underneath the Guest OS, any instructions or keystrokes could potentially be intercepted. Really though, I only care about infection from the one direction guest to host rather than the other way round.

For the other 2 vectors: I handle them by keeping shared folders disabled and by using bridged networking to the guest which I block off using a firewall on the host.

[mpack]

I personally do not avoid the use of shared folders, since a few simple precautions can eliminate any danger. I try to avoid keeping executable files in there, at least if I'm going to allow the folder to be accessed by a suspect VM (i.e. one in which I've previously run unproven software). As a programmer I know that the myths about viruses in JPEGs etc are not true, so I don't worry about having those in a shared folder. Any executable that I copy into a shared folder is never again executed on the host. And of course: the shared folder is one small folder containing just a few files. Some of the users here designate the entire host system drive as a shared folder, which I regard as insane!