VirtualBox Linux VM inside Sandboxie?

I am planning on giving this a try when I get some time. I use one of my linux VM's with TOR (VirtualBox). I was wondering if it would make sense, or even if it would work properly, to run this VM isolated in a sandbox? The thought is to help isolate/prevent a "breakout" from the VM to the host. Does anyone here have any experiences with this? I am not paranoid but if this simple step can help prevent anything from happening, why not?

 

Virtualbox has to interact with a kernel driver. Sandboxie would either block that (and make it not work) or not interfere (and provide no additional protection).

If you're worried about things breaking out of the VM, you could always decline to install guest additions on your VMs...

Edit: AFAIK though, nothing has yet been able to break out of Virtualbox. At least not when using hardware virtualization.

 

I have already done enough reading to figure out this would be problematic. Most folks are running Sandboxie in their VM instead of how I was thinking about it. My host is about as secure as it gets and hopefully its firewall and AV rulesets will "pick off" anything that jumps out of the VM. Linux is much more secure anyway. Its just that TOR and onion brings out the "best"/not in folks while you are surfing. I start with a fresh/clean VM clone every day or so anyway.

I do NOT install guest additions for security reasons, and I am on a VT-x motherboard with proper configurations in virtualbox. Using 12.04 and virtualbox the VMs run very smoothly without them.


As a splinter of this thread, I would love to read any links regarding malware that has broken out of a virtualbox VM and hurt the host. Not some theory without true experience, but an actual "it happened to me" scenario. Is it out there? If it is out there, is it out there on a LINUX VM?

 

Any particular reason why you wish to do such a thing please?

 

yeah I tried this once before. Doesn't work all that well. Plus you have to think about the size limit per sandbox. I settled for using my VM and then having my host system running in Shadowdefender. If anything did break out it was virtualized on my host system.

 

I found your thread in the archives. LOL!


The Red Moon,

My reason was really same as that original thread. I was just considering something that may have theoritically increased my protection. That's all I was trying to do. After reading around I cannot find one instance of malware breaking out of a VirtualBox VM and getting to the host. I decided to further my protection by running Linux in the VM and running TOR from inside it. I don't know if you spend much time in "onion" but when you hang out there you learn to think of protection ideas. Most of the time I am in Whonix, but this VM is being developed for a friend.

 

Yes, it will work, at least it did for me several years ago. I believe I ran Linux Mint (I forget exactly which Linux version anymore because I played with several) inside of VirtualBox, with the entire darn shooting match inside of Sandboxie. The only thing that I can remember having to do special was answer a popup box that I got from Sandboxie to enlarge something, I don't remember what. After that it worked fine.

Currently I run WinXP inside of VirtualBox, and all of that is run inside of Sandboxie.
Acadia

 

Acadia when was the last time you tried this and what version of sandboxie was it?

 

Onion can be a very interesting place. Not some place I would be "wandering" around too much. There are some instances of VM aware malware. Not too common but they do exist. Most of the time if I was "wandering" around onion, I would be running Linux mint on TOR and then using shadowdefender on the host with AE on lockdown. Never had any issues or noticed any infections.

 

Well, I am currently doing this with Sandboxie version 3.76, 64-bit, BUT this is with WinXp contained in VirtualBox. When I used VirtualBox with Linux installed, and all of that inside of Sandboxie, was a few years ago and I have no idea what version of Sandboxie that I would have been using, and it would have been 32-bit, but everything still worked.


If I recall correctly, when I started using WinXp inside of Sandboxie, I again received that same popup message from Sandboxie about enlarging something. But again, upon doing whatever I did, it worked perfectly and has since. Sandboxie can definitely handle an entire operating system AS LONG AS THE OPERATING SYSTEM IS INSIDE OF VIRTUALBOX (and maybe also other virtual machines). At least it has worked for me 100% of the time.

Good luck,
Acadia

 

Ok. Virtual box. I was attempting to perform mine in VMworkstation. Maybe that's the reason mine failed. I also got the size change warning but I also had a bunch of errors and hive warnings. Not sure where the issue was or why VB can handle it and VM couldn't. It could have been operator error too. .

 

See my comment above. It may work, that doesn't mean it actually provides additional protection.

OTOH there's a big difference between recognizing a VM and breaking out of one. Lots of malware can refuse to decrypt itself if run in a VM.

Actually infecting the host through some exploit is not something I'd discount, but I'd bet it's not common. I'm not certain, but I suspect it would require multiple stages, with exploit code customized for whichever host OS or hypervisor. IMO this is the stuff of targeted attacks, not typical malware.

Mind, I am not an expert. But I think this is a) worrying too much, b) putting your trust in something that does not work, and c) trying to solve the wrong problem.

 

When I started this thread it was mostly out of curiousity, and as many others here we tend to experiment/think about increased security. I have given the matter some consideration. For now I feel that my linux 12.04 virtualbox VM running the TOR bundle is safe enough. One thing that helps me relax is that I keep an updated and clean template of the VM. By clean I mean zero activity other than clicking into debian for the updates. I return to a perfectly clean VM cloned from the template nearly every day, or maybe every third depending upon where I have gone with it. As mentioned above in other posts here; I don't care if malware can somehow detect a VM, and cause something not to work. Big deal. That is a completely different thing than breaking out of the VM and getting to the host. My hardware is nicely configured and running the VT-x technology the way it was intended.