From: Markus Armbruster <armbru@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Jeff Cody <jcody@redhat.com>,
qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>,
Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] Image probing: how it can be insecure, and what we could do about it
Date: Thu, 06 Nov 2014 13:52:49 +0100 [thread overview]
Message-ID: <87oaskv6ce.fsf@blackfin.pond.sub.org> (raw)
In-Reply-To: <5459FCE8.2050007@redhat.com> (Eric Blake's message of "Wed, 05 Nov 2014 11:33:12 +0100")
Eric Blake <eblake@redhat.com> writes:
> On 11/04/2014 07:45 PM, Markus Armbruster wrote:
>> I'll try to explain all solutions fairly. Isn't easy when you're as
>> biased towards one of them as I am. Please bear with me.
>>
>
> Thanks for this write-up. I'll probably reply again, but for now I'm
> focusing on just one thing I think you missed that came up in the
> related threads:
>
>
>> = How can we better guard the trust boundary in QEMU? =
>>
>> The guest can violate the trust boundary only because
>>
>> (a) QEMU supports both raw images and image formats, and
>>
>> (b) QEMU guesses image format from raw image contents, and
>>
>> (c) given a raw image, guests can change its contents and control a
>> future QEMU's format guess.
>>
>> We can attack one ore more of these three conditions:
>>
>> (a) Outlaw raw images
>>
>> (b) Don't guess format from untrusted image contents
>>
>> (c) Prevent "bad" guest writes
>
> (d) write metadata that records our guess before releasing data across a
> trust boundary, so that we no longer need to probe on the next encounter
>
> While this won't work for top-level images, it is a possibility for
> backing store. Any time we open a qcow2 file that has a backing file
> without a format, we can rewrite the qcow2 metadata to record the type
> that we ended up settling on, prior to allowing the guest to manipulate
> the data. The initial open is "safe" (we haven't yet handed the data to
> the guest - and the trust boundary is not broken until the point that
> the guest has had a chance to overwrite data) and all subsequent opens
> are now safe (because we rewrote the metadata, subsequent operations no
> longer need to probe the backing file, but are guaranteed to use the
> same format as the first open, whether or not those subsequent
> operations are performed by a different qemu that would have probed a
> different type).
>
> PRO: Plugs hole for backing files
>
> CON: Doesn't help for top-level images. In a chain "base <- mid <- top"
> where neither mid nor top recorded backing type, it would require mid to
> be temporarily opened read-write to update the metadata.
I think we better distinguish two cases:
1. Freeze the backing format on create
PRO: Plugs hole for backing files in new images
CON: Incompatible change, but only for truly weird usage.
2. Freeze the backing format on writable open
PRO: Plugs hole for this existing image's backing file
CON: As above.
I'm quite comfy with 1's CON, but 2's gives me a slightly queasy
feeling. Not enough of it to actually object, though.
next prev parent reply other threads:[~2014-11-06 12:53 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-04 18:45 [Qemu-devel] Image probing: how it can be insecure, and what we could do about it Markus Armbruster
2014-11-04 20:33 ` Jeff Cody
2014-11-05 7:04 ` Markus Armbruster
2014-11-05 7:30 ` Markus Armbruster
2014-11-05 8:38 ` Max Reitz
2014-11-05 10:18 ` Eric Blake
2014-11-06 12:43 ` Markus Armbruster
2014-11-06 13:02 ` Eric Blake
2014-11-05 11:15 ` Kevin Wolf
2014-11-06 12:26 ` Markus Armbruster
2014-11-06 12:53 ` Max Reitz
2014-11-06 14:56 ` Jeff Cody
2014-11-06 15:00 ` Max Reitz
2014-11-07 14:52 ` Markus Armbruster
2014-11-07 15:17 ` Max Reitz
2014-11-10 7:58 ` Markus Armbruster
2014-11-07 9:57 ` Markus Armbruster
2014-11-06 13:02 ` Kevin Wolf
2014-11-07 14:50 ` Markus Armbruster
2014-11-05 10:12 ` Gerd Hoffmann
2014-11-05 10:33 ` Eric Blake
2014-11-06 12:52 ` Markus Armbruster [this message]
2014-11-05 11:01 ` Kevin Wolf
2014-11-06 13:57 ` Markus Armbruster
2014-11-06 14:14 ` Eric Blake
2014-11-06 15:52 ` Jeff Cody
2014-11-06 14:35 ` Jeff Cody
2014-11-06 15:01 ` Kevin Wolf
2014-11-07 15:21 ` Markus Armbruster
2014-11-07 17:33 ` Jeff Cody
2014-11-10 8:12 ` Markus Armbruster
2014-11-10 9:14 ` Kevin Wolf
2014-11-10 10:30 ` Markus Armbruster
2014-11-10 14:24 ` Jeff Cody
2014-11-11 8:28 ` Markus Armbruster
2014-11-10 8:13 ` Markus Armbruster
2014-11-05 15:24 ` Dr. David Alan Gilbert
2014-11-06 13:04 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87oaskv6ce.fsf@blackfin.pond.sub.org \
--to=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=jcody@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.