[vbox-dev] how to shutdown VBox open APIs?

Achim Hasenmüller achim.hasenmueller at oracle.com
Thu Dec 9 10:29:01 PST 2010


the COM API access control is a great idea, I've been pondering about this for years. If you find a way to do this (basically you have to whitelist the process when IVirtualBox gets instantiated), it would be awesome.

Regarding further protection, I'm not a fan. It's a rat race. Some customer has created a setup on Windows hosts where VBox runs as a different user and apparently they were able to circumvent UAC by writing their own runas service. I don't have more details.


On Dec 9, 2010, at 19:19 , Huihong Luo wrote:

> We got more and more users to request how to deliver a vm whose configuration cannot be modified in any way.
> VBox is so powerful in its APIs, which is a very good feature compared to other vm software. However, this feature makes it very difficult to prevent people from chaning the vm settings, etc. Any thoughts on this?
> VBox uses across process COM communications, so need a way to only allow internal components to use those APIs, but disallow external programs to use it. Even this is done, a hacker can easily hook a DLL's exports, and change the code.
> For example, even if a VDI disk is encrypted, I can easily hook VBoxDDU.dll to dump its raw content, and bypass the encryption.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.virtualbox.org/pipermail/vbox-dev/attachments/20101209/6098878e/attachment-0001.html 

More information about the vbox-dev mailing list