From: "Alex Bennée" <alex.bennee@linaro.org>
To: Rowan Hart <rowanbhart@gmail.com>
Cc: qemu-devel@nongnu.org,
"Pierrick Bouvier" <pierrick.bouvier@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Yanan Wang" <wangyanan55@huawei.com>,
"Mahmoud Mandour" <ma.mandourr@gmail.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Alexandre Iooss" <erdnaxe@crans.org>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Eduardo Habkost" <eduardo@habkost.net>
Subject: Re: [PATCH v12 5/7] plugins: Add memory hardware address read/write API
Date: Fri, 20 Jun 2025 14:36:17 +0100 [thread overview]
Message-ID: <87pleysffy.fsf@draig.linaro.org> (raw)
In-Reply-To: <168f9716-1b1c-42fe-9be8-f6b895a9095f@gmail.com> (Rowan Hart's message of "Tue, 17 Jun 2025 08:46:11 -0700")
Rowan Hart <rowanbhart@gmail.com> writes:
>> My main concern about the long list of caveats for writing memory is the
>> user will almost certainly cause weird things to happen which will then
>> be hard to debug. I can see the patcher example however it would be
>> useful to know what other practical uses this interface provides.
>>
> Of course! My main personal intent here is to facilitate introspection
> and manipulation of guest state for security analysis. Some examples
> of why the memory/register R/W primitives are necessary here include:
>
> Fuzzing:
> - Read registers and memory for tracing control flow, comparison
> operands, and profiled values (e.g. memcmp arguments)
> - Write memory to inject test cases into the guest (for me and other
> fuzzer developers, this is the biggest reason!)
> - Write registers to reset execution or skip over complex checks like
> checksums
> - Read and write memory, and read and write registers, to do basic
> snapshot/restore by tracking dirty pages and resetting them
>
> Virtual Machine Introspection (for malware analysis and reverse
> engineering):
> - Read memory and registers to find kernel, analyze kernel structures,
> and retrieve info like process lists, memory mappings
> - Read memory and registers to quickly trace malware execution in VM
> - Write memory and registers to test behavior under various
> conditions, like skipping into checks (motivating example: what
> happens if you skip into the kill switch statement for WannaCry)
>
> Runtime patching (as in the example):
> - Writing memory to patch critical legacy code in production often can
> no longer be built or patched via means other than by applying
> binary patches (this is a real problem for e.g. the government, to
> the point where DARPA ran a program
> https://www.darpa.mil/research/programs/assured-micropatching to
> work on it!)
> - Writing registers to skip over broken code, redirect to patch code, etc.
>
> Ultimately, the caveats boil down to "don't modify stuff that's
> touched by currently executing code". I personally don't think that's
> unreasonable (as long as it's in the doc-strings) because for any
> plugin that needs to write memory, ensuring the write consistency is
> probably the easiest problem to solve and people working in this space
> are used to having way worse and jankier workarounds.
I dread to think what jankier workarounds are!
However I accept that a doc string warning will do for now. I think if
we can strengthen the guarantee at a later date to make the feature more
bullet proof we should. For example we could use start/end_exclusive to
halt the other threads while patching is taking place and then trigger a
full tb-flush to be safe. It depends how often we expect to be patching
things out?
Richard,
Do you have any view about this?
> These plugin
> functions make life way easier for them. I have been in touch with 20+
> people from various companies and projects (including Microsoft, where
> I work, as well as other big and small tech) all working on plugins
> that could be better if this feature existed, so there is definitely a
> user-base and appetite for it!
>
> The last cool use-case is that this moves us a long way towards
> cleaning up the large number of QEMU forks out there designed for RE
> and security testing like QEMU-Nyx, qemuafl, symqemu, and many more.
> Instead of maintaining forks of QEMU (many of these are based on 4.2.0
> or older!) folks can just maintain a plugin, which lets them take
> advantage of updates and fixes without giant rebases. My goal is to
> kill these forks and have these projects write small, maintainable
> plugins instead, and the authors are on board :)
Absolutely - I would like to see that too. The main reason those forks
haven't been up-streamable is because they have to make fairly invasive
changes to the frontends to do their instrumentation. I want to grow the
API to the point we can support these more advanced use cases. I am
however being conservative in adding new APIs so we take the time to get
each one right and minimise:
- leaking internal details and constricting future evolution of the emulator
- giving the users too many foot guns in the API
I'll have a look at the next version and see how we are doing.
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
next prev parent reply other threads:[~2025-06-20 13:37 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-11 23:24 [PATCH v12 0/7] Add additional plugin API functions to read and write memory and registers Rowan Hart
2025-06-11 23:24 ` [PATCH v12 1/7] gdbstub: Expose gdb_write_register function to consumers of gdbstub Rowan Hart
2025-06-11 23:24 ` [PATCH v12 2/7] plugins: Add register write API Rowan Hart
2025-06-11 23:24 ` [PATCH v12 3/7] plugins: Add enforcement of QEMU_PLUGIN_CB flags in register R/W callbacks Rowan Hart
2025-06-11 23:24 ` [PATCH v12 4/7] plugins: Add memory virtual address write API Rowan Hart
2025-06-11 23:24 ` [PATCH v12 5/7] plugins: Add memory hardware address read/write API Rowan Hart
2025-06-17 10:24 ` Alex Bennée
2025-06-17 15:46 ` Rowan Hart
2025-06-20 13:36 ` Alex Bennée [this message]
2025-06-17 17:38 ` Pierrick Bouvier
2025-06-11 23:24 ` [PATCH v12 6/7] plugins: Add patcher plugin and test Rowan Hart
2025-06-13 15:19 ` Pierrick Bouvier
2025-06-17 10:35 ` Alex Bennée
2025-06-11 23:24 ` [PATCH v12 7/7] plugins: Update plugin version and add notes Rowan Hart
2025-06-12 3:41 ` [PATCH v12 0/7] Add additional plugin API functions to read and write memory and registers Rowan Hart
2025-06-13 15:19 ` Pierrick Bouvier
2025-06-13 15:57 ` Alex Bennée
2025-06-19 16:20 ` Rowan Hart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pleysffy.fsf@draig.linaro.org \
--to=alex.bennee@linaro.org \
--cc=eduardo@habkost.net \
--cc=erdnaxe@crans.org \
--cc=ma.mandourr@gmail.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rowanbhart@gmail.com \
--cc=wangyanan55@huawei.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.