From: Paul Brook <paul@codesourcery.com>
To: qemu-devel@nongnu.org
Cc: Chris Frey <cdfrey@foursquare.net>
Subject: Re: [Qemu-devel] Re: Re: Killing KQEMU
Date: Thu, 4 Jun 2009 01:22:33 +0100 [thread overview]
Message-ID: <200906040122.33938.paul@codesourcery.com> (raw)
In-Reply-To: <20090603212142.GA16171@foursquare.net>
> > More like "impossible because it *should* never happen". kqemu is not
> > known to be secure.
>
> Did you mean "kqemu is known to not be secure" or is this just FUD?
AFAIK noone has produced a real-work exploit, but see below.
> The KQEMU technical documentation on the QEMU website specifically
> stresses that no VM code is run at kernel level, so someone was thinking
> about security when it was written.
Absolutely not.
The fact that all guest code is run in ring3 is in no way in indication that
the end result is secure. I know from experience[1] that there are many ways
that such a VM an be compromised. Pretty much every mainstream x86 operating
system in the last 15 years runs application code in ring3, but that doesn't
mean they're even vaguely secure.
My understanding is that kqemu is known to not work correctly under certain
circumstances. It's possible that this never occurs when common guest
operating systems are operating normally. However if a guest is compromised it
is likely that it will be able to either compromise or DoS(crash) the host
machine. Empirical evidence suggests that in practice this happens even
without malicious intent.
Paul
[1] I wrote a prototype kqemu equivalent, so have been intimately familiar
with many of the things that can go wrong.
next prev parent reply other threads:[~2009-06-04 0:22 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-02 3:52 [Qemu-devel] Killing KQEMU Chris Frey
2009-06-02 4:18 ` Avi Kivity
2009-06-02 6:28 ` Avi Kivity
2009-06-02 19:25 ` [Qemu-devel] " Chris Frey
2009-06-02 4:45 ` [Qemu-devel] " Rick Vernam
2009-06-02 12:54 ` Paul Brook
2009-06-02 20:09 ` [Qemu-devel] " Chris Frey
2009-06-02 20:24 ` Avi Kivity
2009-06-03 21:50 ` [Qemu-devel] " Chris Frey
2009-06-04 6:30 ` [Qemu-devel] " Avi Kivity
2009-06-02 20:30 ` Paul Brook
2009-06-03 21:34 ` Chris Frey
2009-06-03 21:46 ` Rick Vernam
2009-06-06 11:01 ` Andreas Färber
2009-06-06 11:27 ` Paul Brook
2009-06-06 13:50 ` Andreas Färber
2009-06-06 15:24 ` Gleb Natapov
2009-06-06 16:03 ` Avi Kivity
2009-06-02 20:35 ` Gerd Hoffmann
2009-06-02 20:47 ` Stuart Brady
2009-06-03 21:21 ` [Qemu-devel] " Chris Frey
2009-06-04 0:22 ` Paul Brook [this message]
2009-06-02 6:25 ` [Qemu-devel] " Gleb Natapov
2009-06-02 9:26 ` Anton D Kachalov
2009-06-02 19:47 ` [Qemu-devel] " Chris Frey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200906040122.33938.paul@codesourcery.com \
--to=paul@codesourcery.com \
--cc=cdfrey@foursquare.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).