Escaping Virtualbox type intrusion detection?

Question

Is there a way to run intrusion detection for if anything tries to escape from Virtualbox?

Thank you.

Answer 1

In a general sense, you can do this with standard security tools. Note: It would be hard to know ALL the ways to detect this from the VM before such an attack occurred versus after it's gotten access to the Host OS where it would be much easier to detect.

To detect a program while it is trying to escape you would have to be monitoring the VM OS.

To detect things that have escaped you would be monitoring the Host OS. So placement of tools is important and relative to the way you asked your question.

That said, assuming you are strict about your use of the Host OS being dedicated solely for the purpose of hosting Virtualbox VM's it would be easy to setup a lot of systems monitoring on the Host OS to look for anomalous behavior. You could also turn the logging levels way up because in the VirtualBox software should be the only thing really active on the Host OS system. This makes user/system access and other types of activities really easy to spot IF you aren't running other things on the Host OS.

In theory, if you aren't doing much with the base OS then abnormal patterns in usage which would occur if someone started accessing the Host OS would be easy to spot. That said if this was your primary laptop you will create a lot of noise in the logs which will make this much harder to do.

The IDS/IPS/Other and security tools, especially operating system security tools which monitor system calls, can easily be placed on both the VM OS and the Host OS so if the attacks you are thinking about can be detected and are not true Zero-day exploits then they should be possible to detect when using appropriately configured intrusion detection/prevention systems.