VirtualBox Linux VM inside Sandboxie?

Discussion in 'sandboxing & virtualization' started by Palancar, Dec 28, 2013.

Thread Status:
Not open for further replies.
  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I am planning on giving this a try when I get some time. I use one of my linux VM's with TOR (VirtualBox). I was wondering if it would make sense, or even if it would work properly, to run this VM isolated in a sandbox? The thought is to help isolate/prevent a "breakout" from the VM to the host. Does anyone here have any experiences with this? I am not paranoid but if this simple step can help prevent anything from happening, why not?
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Virtualbox has to interact with a kernel driver. Sandboxie would either block that (and make it not work) or not interfere (and provide no additional protection).

    If you're worried about things breaking out of the VM, you could always decline to install guest additions on your VMs...

    Edit: AFAIK though, nothing has yet been able to break out of Virtualbox. At least not when using hardware virtualization.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I have already done enough reading to figure out this would be problematic. Most folks are running Sandboxie in their VM instead of how I was thinking about it. My host is about as secure as it gets and hopefully its firewall and AV rulesets will "pick off" anything that jumps out of the VM. Linux is much more secure anyway. Its just that TOR and onion brings out the "best"/not in folks while you are surfing. I start with a fresh/clean VM clone every day or so anyway.

    I do NOT install guest additions for security reasons, and I am on a VT-x motherboard with proper configurations in virtualbox. Using 12.04 and virtualbox the VMs run very smoothly without them.


    As a splinter of this thread, I would love to read any links regarding malware that has broken out of a virtualbox VM and hurt the host. Not some theory without true experience, but an actual "it happened to me" scenario. Is it out there? If it is out there, is it out there on a LINUX VM?
     
    Last edited: Dec 28, 2013
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Any particular reason why you wish to do such a thing please?
     
  5. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    yeah I tried this once before. Doesn't work all that well. Plus you have to think about the size limit per sandbox. I settled for using my VM and then having my host system running in Shadowdefender. If anything did break out it was virtualized on my host system.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I found your thread in the archives. LOL!


    The Red Moon,

    My reason was really same as that original thread. I was just considering something that may have theoritically increased my protection. That's all I was trying to do. After reading around I cannot find one instance of malware breaking out of a VirtualBox VM and getting to the host. I decided to further my protection by running Linux in the VM and running TOR from inside it. I don't know if you spend much time in "onion" but when you hang out there you learn to think of protection ideas. Most of the time I am in Whonix, but this VM is being developed for a friend.
     
  7. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Yes, it will work, at least it did for me several years ago. I believe I ran Linux Mint (I forget exactly which Linux version anymore because I played with several) inside of VirtualBox, with the entire darn shooting match inside of Sandboxie. The only thing that I can remember having to do special was answer a popup box that I got from Sandboxie to enlarge something, I don't remember what. After that it worked fine.

    Currently I run WinXP inside of VirtualBox, and all of that is run inside of Sandboxie.
    Acadia
     
  8. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Acadia when was the last time you tried this and what version of sandboxie was it?
     
  9. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Onion can be a very interesting place. Not some place I would be "wandering" around too much. There are some instances of VM aware malware. Not too common but they do exist. Most of the time if I was "wandering" around onion, I would be running Linux mint on TOR and then using shadowdefender on the host with AE on lockdown. Never had any issues or noticed any infections.
     
  10. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Well, I am currently doing this with Sandboxie version 3.76, 64-bit, BUT this is with WinXp contained in VirtualBox. When I used VirtualBox with Linux installed, and all of that inside of Sandboxie, was a few years ago and I have no idea what version of Sandboxie that I would have been using, and it would have been 32-bit, but everything still worked.


    If I recall correctly, when I started using WinXp inside of Sandboxie, I again received that same popup message from Sandboxie about enlarging something. But again, upon doing whatever I did, it worked perfectly and has since. Sandboxie can definitely handle an entire operating system AS LONG AS THE OPERATING SYSTEM IS INSIDE OF VIRTUALBOX (and maybe also other virtual machines). At least it has worked for me 100% of the time.

    Good luck,
    Acadia
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Ok. Virtual box. I was attempting to perform mine in VMworkstation. Maybe that's the reason mine failed. I also got the size change warning but I also had a bunch of errors and hive warnings. Not sure where the issue was or why VB can handle it and VM couldn't. It could have been operator error too. ;).
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    See my comment above. It may work, that doesn't mean it actually provides additional protection.

    OTOH there's a big difference between recognizing a VM and breaking out of one. Lots of malware can refuse to decrypt itself if run in a VM.

    Actually infecting the host through some exploit is not something I'd discount, but I'd bet it's not common. I'm not certain, but I suspect it would require multiple stages, with exploit code customized for whichever host OS or hypervisor. IMO this is the stuff of targeted attacks, not typical malware.

    Mind, I am not an expert. But I think this is a) worrying too much, b) putting your trust in something that does not work, and c) trying to solve the wrong problem.
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    When I started this thread it was mostly out of curiousity, and as many others here we tend to experiment/think about increased security. I have given the matter some consideration. For now I feel that my linux 12.04 virtualbox VM running the TOR bundle is safe enough. One thing that helps me relax is that I keep an updated and clean template of the VM. By clean I mean zero activity other than clicking into debian for the updates. I return to a perfectly clean VM cloned from the template nearly every day, or maybe every third depending upon where I have gone with it. As mentioned above in other posts here; I don't care if malware can somehow detect a VM, and cause something not to work. Big deal. That is a completely different thing than breaking out of the VM and getting to the host. My hardware is nicely configured and running the VT-x technology the way it was intended.
     
Loading...
Thread Status:
Not open for further replies.