Opened 13 years ago
Closed 8 years ago
#10273 closed enhancement (obsolete)
VirtualBox Support for ASLR
Reported by: | DNS | Owned by: | |
---|---|---|---|
Component: | VMM | Version: | VirtualBox 4.1.8 |
Keywords: | Cc: | ||
Guest type: | other | Host type: | other |
Description
Windows Vista has introduced new memory security protections, such as DEP/NX, ASLR (Address Space Layout Randomization) and Heap Corruption Detection, which help to block exploits of common vulnerabilities. Unfortunately VirtualBox still is not compiled to take advantage of these security features. While VirtualBox's code doesn't exhibit any weaknesses, it would be beneficial to be able to use these OS security enhancements as a backstop in the event that the hypervisor is exploited.
There are also reports of there being a similar incompatibility between VirtualBox and ASLR implementations in Linux as well.
Currently, forcing these OS protection settings for VirtualBox's processes causes random and complete system halts. Support for ASLR is easy to accomplish and could probably make it into the next release as all that is needed for it to work is the turning on of a bit in the executable.
Change History (7)
comment:1 by , 13 years ago
comment:2 by , 12 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
As of VBox 4.2, all executables are compiled with /DYNAMICBASE enabled. So marking as fixed.
comment:3 by , 12 years ago
With 4.2.0, system wide mandatory ASLR still cannot be used. If it is enabled, all VMs fail to start with a VERR_LDR_MISMATCH_NATIVE error. I guess the VirtualBox drivers still aren't compatible with this?
comment:6 by , 12 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Thanks for the report, seems we did not test this setting properly.
comment:7 by , 8 years ago
Resolution: | → obsolete |
---|---|
Status: | reopened → closed |
Please reopen if still relevant with a recent VirtualBox release.
Replying to DNS:
Isn't that a contradiction? I am no expert on this matter but I believe that the linker has to be aware of the ASLR in order to create an fully ASLR-compatible executable. I am not sure what compiler versions Oracle uses but judging from https://www.virtualbox.org/wiki/Windows%20build%20instructions it might be quite vintage and therefore enabling ASLR would require changes to the build environment, so don't anticipate it to be enabled anytime soon.
On a personal note, I too can't wait to see it ASLR enabled as VirtualBox is one of the last of my frequently applications that hasn't ASLR activated.