VirtualBox

Ticket #10273 (reopened enhancement)

Opened 2 years ago

Last modified 18 months ago

VirtualBox Support for ASLR

Reported by: DNS Owned by:
Priority: major Component: VMM
Version: VirtualBox 4.1.8 Keywords:
Cc: Guest type: other
Host type: other

Description

Windows Vista has introduced new memory security protections, such as DEP/NX, ASLR (Address Space Layout Randomization) and Heap Corruption Detection, which help to block exploits of common vulnerabilities. Unfortunately VirtualBox still is not compiled to take advantage of these security features. While VirtualBox's code doesn't exhibit any weaknesses, it would be beneficial to be able to use these OS security enhancements as a backstop in the event that the hypervisor is exploited.

There are also reports of there being a similar incompatibility between VirtualBox and ASLR implementations in Linux as well.

Currently, forcing these OS protection settings for VirtualBox's processes causes random and complete system halts. Support for ASLR is easy to accomplish and could probably make it into the next release as all that is needed for it to work is the turning on of a bit in the executable.

Change History

comment:1 in reply to: ↑ description Changed 2 years ago by Hans

Replying to DNS:

Currently, forcing these OS protection settings for VirtualBox's processes causes random and complete system halts. Support for ASLR is easy to accomplish […] all that is needed for it to work is the turning on of a bit in the executable.

Isn't that a contradiction? I am no expert on this matter but I believe that the linker has to be aware of the ASLR in order to create an fully ASLR-compatible executable. I am not sure what compiler versions Oracle uses but judging from https://www.virtualbox.org/wiki/Windows%20build%20instructions it might be quite vintage and therefore enabling ASLR would require changes to the build environment, so don't anticipate it to be enabled anytime soon.

On a personal note, I too can't wait to see it ASLR enabled as VirtualBox is one of the last of my frequently applications that hasn't ASLR activated.

comment:2 Changed 19 months ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

As of VBox 4.2, all executables are compiled with /DYNAMICBASE enabled. So marking as fixed.

comment:3 Changed 18 months ago by Naakka

With 4.2.0, system wide mandatory ASLR still cannot be used. If it is enabled, all VMs fail to start with a VERR_LDR_MISMATCH_NATIVE error. I guess the VirtualBox drivers still aren't compatible with this?

comment:4 follow-up: ↓ 5 Changed 18 months ago by frank

Which host are you talking about?

comment:5 in reply to: ↑ 4 Changed 18 months ago by Naakka

Replying to frank:

Which host are you talking about?

Windows 7 64-bit.

comment:6 Changed 18 months ago by frank

  • Status changed from closed to reopened
  • Resolution fixed deleted

Thanks for the report, seems we did not test this setting properly.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use