VMware Communities
UlyssesOfEpirus
Enthusiast
Enthusiast

How to disable a VM's vmware display driver and use a USB GPU instead

How do I disable vmware's display driver inside a VM in order to use a usb gpu instead, like the gpu's below?

http://www.tomshardware.co.uk/dual-head-DV100-BVU195-WPCTVPRO-USB-3.0,news-40603.html

http://www.amazon.com/Plugable-DC-125-Docking-Station-Multiseat/dp/B004PXPPNA

Is there a vmx option for this?  The guest o/s is linux mint (ubuntu).

The purpose of this is to hide the VM display output from any hacker who manages to infect and own the host, but who cannot infect the VM. Keyboard input too is to be hidden likewise.

Host infection has become a possibility now for the reasons explained in the following post:

http://communities.vmware.com/message/2145225#2145225

Reply
0 Kudos
1 Reply
dariusd
VMware Employee
VMware Employee

Hi UlyssesOfEpirus,

Just so you know: If the host is truly owned, there is nothing that will completely protect a running VM.  You can raise the bar as high as you like and make it more difficult for a hacker, as you are attempting, but it won't be possible to achieve "perfect" security or really anything close to it.

If you're willing to assume/claim that only your host's user account will be compromised, and that there is no possible way for that to be escalated to owning a system account via an exploit on the host OS, your chances are better, but not by very much.  I would suggest that, for any popular mainstream host OS, such an assumption is somewhat unsafe.  You would need to take extreme steps to harden the host itself in order to mitigate this.

If you assume that your hacker can own a system account:

  • Encrypted virtual disks will prevent simple malware from infecting guest disks, however an owned host could theoretically commandeer a running VM to read and write its open encrypted disks on its behalf.  Your encrypted disks would only be "safe" as long as they remain unused by any powered-on VM.

  • Passing through USB devices only to the guest will also prevent simple malware from sniffing the keyboard and display, however the host's USB driver must still process all data going to/from USB devices, and an owned host will also allow the malware to install its own USB drivers/monitors to intercept and possibly manipulate USB data between the device and the VM.  Doing this for HID (keyboard/mouse) would seem relatively straightforward.  Even without doing that, though, all that USB data still has to pass through the hypervisor and into the guest, providing further opportunity for a miscreant with a system account to intercept, record and/or modify the data on the way through.

  • A moderately-sophisticated hacker could install their own kernel driver to gain access to all of the host's physical memory, which necessarily includes the resident memory used by the running VM.  It would then be possible to read or modify the running VM's RAM contents.

If you are seeking 100% trust that a compromised host won't manipulate or inspect a running VM, you will never achieve it, as far as I can tell.

To directly address your question: As far as I know, the VMware SVGA virtual device is always present.  If you disable the VMware Xorg driver, it'll probably fall back to the VESA driver and still use the display.  Does the guest's Preferences > Display (or similar) allow you to simply turn off displays you don't want to use?

Cheers,

--

Darius

Reply
0 Kudos