Kavita Agarwal
2014-03-14 20:55:16 UTC
Hi,
We are graduate students studying Computer Science at Stony Brook
University. We were wondering what is the security concern for Virtual Box
binaries on Linux to require root privilege.
We know that /dev/vboxdrv is owned by root and the permissions on that
device are such that only root can open it. However, we are interested in
the underlying security concern to restrict access of this device to root.
We analyzed the ioctls issued by the userspace VirtualBox binaries to this
device. These ioctls seem to be changing the state/memory for a specific
guest VM. Thus, there may not be any concerns of an attacker exploiting
these ioctls to change the state of the host or other processes on the host
as long as the ioctl requests can be authenticated?
There seems to exist a cookie based authentication mechanism for these
requests. However, static cookie values are used - which may explain the
need to restrict these requests to be issued by only root to avoid an
attacker messing with a running VM.
Moreover, the different setuid-to-root VirtualBox binaries don't seem to be
able to attach to a running VM. So, an attacker cannot use that interface
to connect to an already running VM.
If the /dev/vboxdrv is opened for access to all, a possible attack can be
that the attacker will guess the pSession pointer and use that as an
argument in pReq to send fake ioctl requests for other VMs. However, if the
cookies are randomized and are hard to guess, this attack may be mitigated
by the cookie based authentication or even by adding a file descriptor or
process based authentication.
We are interested in this discussion because we have a paper accepted to
EuroSys '14 that shows how to obviate the need for setuid binaries on
Linux. As a part of continuing this effort for completeness, we are
currently investigating the need of VirtualBox for setuid-to-root and find
ways in which this need can be eliminated.
Please let us know if we are missing something or is our understanding
correct?
Thanks in advance for your help and comments.
Regards,
Kavita Agarwal
CS Graduate Student
Stony Brook University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.virtualbox.org/pipermail/vbox-dev/attachments/20140314/11f16ed6/attachment.html
We are graduate students studying Computer Science at Stony Brook
University. We were wondering what is the security concern for Virtual Box
binaries on Linux to require root privilege.
We know that /dev/vboxdrv is owned by root and the permissions on that
device are such that only root can open it. However, we are interested in
the underlying security concern to restrict access of this device to root.
We analyzed the ioctls issued by the userspace VirtualBox binaries to this
device. These ioctls seem to be changing the state/memory for a specific
guest VM. Thus, there may not be any concerns of an attacker exploiting
these ioctls to change the state of the host or other processes on the host
as long as the ioctl requests can be authenticated?
There seems to exist a cookie based authentication mechanism for these
requests. However, static cookie values are used - which may explain the
need to restrict these requests to be issued by only root to avoid an
attacker messing with a running VM.
Moreover, the different setuid-to-root VirtualBox binaries don't seem to be
able to attach to a running VM. So, an attacker cannot use that interface
to connect to an already running VM.
If the /dev/vboxdrv is opened for access to all, a possible attack can be
that the attacker will guess the pSession pointer and use that as an
argument in pReq to send fake ioctl requests for other VMs. However, if the
cookies are randomized and are hard to guess, this attack may be mitigated
by the cookie based authentication or even by adding a file descriptor or
process based authentication.
We are interested in this discussion because we have a paper accepted to
EuroSys '14 that shows how to obviate the need for setuid binaries on
Linux. As a part of continuing this effort for completeness, we are
currently investigating the need of VirtualBox for setuid-to-root and find
ways in which this need can be eliminated.
Please let us know if we are missing something or is our understanding
correct?
Thanks in advance for your help and comments.
Regards,
Kavita Agarwal
CS Graduate Student
Stony Brook University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.virtualbox.org/pipermail/vbox-dev/attachments/20140314/11f16ed6/attachment.html