From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:57265)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1QFX8p-0001Ka-0u
	for qemu-devel@nongnu.org; Thu, 28 Apr 2011 15:44:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1QFX8n-0004zF-PF
	for qemu-devel@nongnu.org; Thu, 28 Apr 2011 15:44:46 -0400
Received: from mail-yx0-f173.google.com ([209.85.213.173]:55041)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1QFX8n-0004zB-LQ
	for qemu-devel@nongnu.org; Thu, 28 Apr 2011 15:44:45 -0400
Received: by yxk8 with SMTP id 8so1113458yxk.4
	for <qemu-devel@nongnu.org>; Thu, 28 Apr 2011 12:44:44 -0700 (PDT)
Message-ID: <4DB9C3AA.20907@codemonkey.ws>
Date: Thu, 28 Apr 2011 14:44:42 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <BANLkTim--Mr+j+WX3fPEceAfPC_Xwwaaiw@mail.gmail.com>
In-Reply-To: <BANLkTim--Mr+j+WX3fPEceAfPC_Xwwaaiw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] QEMU testing methodology & results
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Roberto Paleari <roberto@security.dico.unimi.it>
Cc: qemu-devel@nongnu.org

On 04/08/2011 02:18 AM, Roberto Paleari wrote:
> Dear QEMU developers,
>
> we are a group of researchers working at the University of Milan,
> Italy. During the last year we focused on automatic techniques to find
> defects inside CPU emulators and virtualizers. Our work has been
> published in different conference papers [1][2][3], and the testing
> methodologies we developed allowed us to find defects in several
> emulators and virtualizers, including QEMU.
>
> In these days we were asked to publicly release our experimental
> results. As these results also include several defects in QEMU, we
> believed it was better to contact you before releasing this material
> to the public.

Just to be clear, at least for x86 CPU emulation, QEMU does not attempt 
to achieve perfect fidelity and has some pretty well known "security" 
issues.  For instance, it does not emulate segment register limits in 
any meaningful way.

This does not mean that the guest can break into the host, just that the 
guest protection mechanisms aren't always enforced when using TCG.

This is not an issue with KVM though.

Regards,

Anthony Liguori

>
> For this reason, we ask to whom it may concern to contact us privately
> at emufuzzer@security.dico.unimi.it to discuss about the disclosure of
> these results.
>
> Thank you very much for your help,
>
> Footnotes:
> [1]  Testing CPU Emulators (http://roberto.greyhats.it/pubs/issta09.pdf)
> [2]  Testing system virtual machines
> (http://roberto.greyhats.it/pubs/issta10-kemufuzzer.pdf)
> [3]  A fistful of red-pills: How to automatically generate procedures
> to detect CPU emulators (http://roberto.greyhats.it/pubs/woot09.pdf)
>