[Qemu-devel] QEMU soundcards vulnerable to jack retasking?

[Qemu-devel] QEMU soundcards vulnerable to jack retasking?

[bancfc]

Recent security research shows that soundcards support surreptitiously 
switching line-out jacks into line-in by modifying the software stack. 
The way modern speakers and headphones are designed makes them readily 
usable as microphones. The Intel High Definition (HD) Audio standards 
which all modern consumer soundcards are based mandates this stupidity.

https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf

Does anyone know if QEMU's emulated sound devices follow this standard? 
If yes then a malicious guest that can modify the virt sound hardware 
can turn PC speakers into surveillance devices even if the microphone is 
disabled on the host. The only solution is completely denying untrusted 
VMs access to a virtual sound device.

Re: [Qemu-devel] QEMU soundcards vulnerable to jack retasking?

[Dr. David Alan Gilbert]

* bancfc@openmailbox.org (bancfc@openmailbox.org) wrote:
> Recent security research shows that soundcards support surreptitiously
> switching line-out jacks into line-in by modifying the software stack. The
> way modern speakers and headphones are designed makes them readily usable as
> microphones. The Intel High Definition (HD) Audio standards which all modern
> consumer soundcards are based mandates this stupidity.
> 
> https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
> 
> Does anyone know if QEMU's emulated sound devices follow this standard? If
> yes then a malicious guest that can modify the virt sound hardware can turn
> PC speakers into surveillance devices even if the microphone is disabled on
> the host. The only solution is completely denying untrusted VMs access to a
> virtual sound device.

I think it's reasonably isolated; the emulated audio controller ends up using
normal pulseaudio/alsa etc to talk to your host's audio system - so I don't
think it should be able to screw around with low level settings of the codecs.

Dave

> 
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [Qemu-devel] QEMU soundcards vulnerable to jack retasking?

[Daniel P. Berrange]

On Mon, Nov 28, 2016 at 10:19:16AM +0000, Dr. David Alan Gilbert wrote:
> * bancfc@openmailbox.org (bancfc@openmailbox.org) wrote:
> > Recent security research shows that soundcards support surreptitiously
> > switching line-out jacks into line-in by modifying the software stack. The
> > way modern speakers and headphones are designed makes them readily usable as
> > microphones. The Intel High Definition (HD) Audio standards which all modern
> > consumer soundcards are based mandates this stupidity.
> > 
> > https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
> > 
> > Does anyone know if QEMU's emulated sound devices follow this standard? If
> > yes then a malicious guest that can modify the virt sound hardware can turn
> > PC speakers into surveillance devices even if the microphone is disabled on
> > the host. The only solution is completely denying untrusted VMs access to a
> > virtual sound device.
> 
> I think it's reasonably isolated; the emulated audio controller ends up using
> normal pulseaudio/alsa etc to talk to your host's audio system - so I don't
> think it should be able to screw around with low level settings of the codecs.

Further, the admin has to make an explicit decision to allow the guest to
have any audio access at all, by explicitly configuring a virtual sound
card.  Some sound card models QEMU supports (ac97, es1370) are always
full duplex, meaning they always allow the guest to do both audio input
and output. Other models (intel-hda) can be setup in either full-duplex
or half-duplex modes, at host administrators discretion. In the half
duplex mode, my reading of the code indicates that it is impossible to
reach the code paths for audio input, so no matter what the guest tries
to do to the virtual sound card it seems, it will only ever be able to
output audio, never get audio input.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

Re: [Qemu-devel] QEMU soundcards vulnerable to jack retasking?

[Gerd Hoffmann]

On Fr, 2016-11-25 at 21:25 +0100, bancfc@openmailbox.org wrote:
> Recent security research shows that soundcards support surreptitiously 
> switching line-out jacks into line-in by modifying the software stack. 
> The way modern speakers and headphones are designed makes them readily 
> usable as microphones. The Intel High Definition (HD) Audio standards 
> which all modern consumer soundcards are based mandates this stupidity.
> 
> https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
> 
> Does anyone know if QEMU's emulated sound devices follow this standard? 

No.  Output line is output only and input line is input only, period.

There are three qemu hda codecs available:

  hda-output
    only playback (line-out).  No way the guest can record anything.

  hda-duplex
    record (line-in) and playback (line-out).  Use that if you need
    sound recording in the guest.

  hda-micro
    record (micro) and playback (speaker).  Same as hda-duplex, except
    that the record and playback channels are tagged differently.  Use
    that if your guests app is picky and refuses to record from line-in.

Where the data for the record channel comes from is subject to host
configuration.  On a typical linux system it'll probably being
pulseaudio, either directly or indirectly (via spice).

cheers,
  Gerd