From: "Daniel P. Berrange" <berrange@redhat.com>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: bancfc@openmailbox.org, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] QEMU soundcards vulnerable to jack retasking?
Date: Mon, 28 Nov 2016 10:38:47 +0000 [thread overview]
Message-ID: <20161128103847.GD18394@redhat.com> (raw)
In-Reply-To: <20161128101916.GB2148@work-vm>
On Mon, Nov 28, 2016 at 10:19:16AM +0000, Dr. David Alan Gilbert wrote:
> * bancfc@openmailbox.org (bancfc@openmailbox.org) wrote:
> > Recent security research shows that soundcards support surreptitiously
> > switching line-out jacks into line-in by modifying the software stack. The
> > way modern speakers and headphones are designed makes them readily usable as
> > microphones. The Intel High Definition (HD) Audio standards which all modern
> > consumer soundcards are based mandates this stupidity.
> >
> > https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
> >
> > Does anyone know if QEMU's emulated sound devices follow this standard? If
> > yes then a malicious guest that can modify the virt sound hardware can turn
> > PC speakers into surveillance devices even if the microphone is disabled on
> > the host. The only solution is completely denying untrusted VMs access to a
> > virtual sound device.
>
> I think it's reasonably isolated; the emulated audio controller ends up using
> normal pulseaudio/alsa etc to talk to your host's audio system - so I don't
> think it should be able to screw around with low level settings of the codecs.
Further, the admin has to make an explicit decision to allow the guest to
have any audio access at all, by explicitly configuring a virtual sound
card. Some sound card models QEMU supports (ac97, es1370) are always
full duplex, meaning they always allow the guest to do both audio input
and output. Other models (intel-hda) can be setup in either full-duplex
or half-duplex modes, at host administrators discretion. In the half
duplex mode, my reading of the code indicates that it is impossible to
reach the code paths for audio input, so no matter what the guest tries
to do to the virtual sound card it seems, it will only ever be able to
output audio, never get audio input.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
next prev parent reply other threads:[~2016-11-28 10:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-25 20:25 [Qemu-devel] QEMU soundcards vulnerable to jack retasking? bancfc
2016-11-28 10:19 ` Dr. David Alan Gilbert
2016-11-28 10:38 ` Daniel P. Berrange [this message]
2016-11-28 10:30 ` Gerd Hoffmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161128103847.GD18394@redhat.com \
--to=berrange@redhat.com \
--cc=bancfc@openmailbox.org \
--cc=dgilbert@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).