From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51499)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bsBDC-0000Mo-9a
	for qemu-devel@nongnu.org; Thu, 06 Oct 2016 12:08:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bsBD8-00074l-23
	for qemu-devel@nongnu.org; Thu, 06 Oct 2016 12:07:58 -0400
Received: from mx1.redhat.com ([209.132.183.28]:51938)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1bsBD7-00074I-P0
	for qemu-devel@nongnu.org; Thu, 06 Oct 2016 12:07:53 -0400
References: <CAOgv842jzM0LPuqkdBzR=BhPk==Hm+d4Xep++UN4oHfWmJksGA@mail.gmail.com>
	<07793b5d-2702-224f-fc9e-7b8328d0d3c1@redhat.com>
	<87y421hogo.fsf@dusky.pond.sub.org>
From: Eric Blake <eblake@redhat.com>
Message-ID: <87d2d9a2-8a5c-9a55-e2a4-adc3e1e5370d@redhat.com>
Date: Thu, 6 Oct 2016 11:07:50 -0500
MIME-Version: 1.0
In-Reply-To: <87y421hogo.fsf@dusky.pond.sub.org>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="qnXg4XDnIXoXUlbEEUD0WgEGRGX0aOXCi"
Subject: Re: [Qemu-devel] QEMU - Security Research Questions
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Markus Armbruster <armbru@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
Cc: Joey Connelly <joeyconnelly@u.boisestate.edu>, qemu-devel@nongnu.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qnXg4XDnIXoXUlbEEUD0WgEGRGX0aOXCi
From: Eric Blake <eblake@redhat.com>
To: Markus Armbruster <armbru@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>
Cc: Joey Connelly <joeyconnelly@u.boisestate.edu>, qemu-devel@nongnu.org
Message-ID: <87d2d9a2-8a5c-9a55-e2a4-adc3e1e5370d@redhat.com>
Subject: Re: [Qemu-devel] QEMU - Security Research Questions
References: <CAOgv842jzM0LPuqkdBzR=BhPk==Hm+d4Xep++UN4oHfWmJksGA@mail.gmail.com>
 <07793b5d-2702-224f-fc9e-7b8328d0d3c1@redhat.com>
 <87y421hogo.fsf@dusky.pond.sub.org>
In-Reply-To: <87y421hogo.fsf@dusky.pond.sub.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 10/06/2016 03:27 AM, Markus Armbruster wrote:
> Paolo Bonzini <pbonzini@redhat.com> writes:
>=20
>> On 06/10/2016 02:10, Joey Connelly wrote:
>>> Hey QEMU dev group,
>>> I'm a graduate student at Boise State University working on my thesis=

>>> involving Virtualization/Cloud Computing Security and I wanted to ask=
 a few
>>> questions:
>>>
>>> *[QUESTION#1.]* From within a guest KVM/QEMU process (qemu-system-x86=
_64
>>> -enable-kvm) can the VM invoke commands on its host - either through =
QEMU
>>> Monitor Console commands, or by some other means I'm unaware of?
>>>
>>> *[QUESTION#**2.]* Can a host administrator running a guest KVM/QEMU p=
rocess
>>> have QEMU Monitor Console commands invoked on that guest VM if *no*
>>> "-monitor" option was used?
>>>
>>> *[QUESTION#**3.]* If a host admin creates a KVM/QEMU process with the=

>>> "qemu-system-x86_64 -enable-kvm -netdev tap,<...>" options is there a=

>>> KVM/QEMU specific way to query the "tap,<...>" information later afte=
r the
>>> process has been created? (assuming your admin account maintains ring=
 0
>>> permissions)
>>
>> No to all three.
>=20
> The pedantically correct answer to #2 would be "not easily": you'd have=

> to play games with a debugger.

In which case, the pedantically correct answer to #1 is "if there is,
then that's a CVE and please tell us so we can plug it".  You can track
recent qemu CVEs to see where we have been fixing such issues as they
get reported.

Note also that a host can choose whether to rely on the guest (for
example, that's what qga is all about); and it is feasible that you
could use qga or a similar channel where a host and guest can cooperate
such that the host will act on behalf of a guest request - but that such
interaction is up to the host to permit, and should only be permitted
for trusted guests.  A guest by itself should never be able to drive
host behavior without host permission first, and a host should never
rely on qga or other channels to an untrusted guest.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--qnXg4XDnIXoXUlbEEUD0WgEGRGX0aOXCi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJX9nbXAAoJEKeha0olJ0NqiYYH/2kLtyFzsrAjp39vJlYExiAv
DmzWnPEnwuhUl4IPbU70Ak4xgSxOBjdPpKBPNdW82YFOBCBuRbcalo2BgbfQ2Fa3
cjzTIDBAnDlWcEmTKp3PyYwuPdNdYhsKWW6wgJ4ujAsHRZwXY5/sQkyUqZbEHTJf
QmOHsv9KWT9fxZyPBzQKMBljDJyUvCjjfro0v26D6p9niGoF0f7YOOFWQCOyzZKy
e7AdNj0QA49z7YrtZYp2IbBTqQBB2DhA2rUv7HcPcWpwb2I8iWF3nMI+wBMNT+79
mnpi8un0p8bMODZUFyM+22U0ULQe0jpuvWRhvT5zMpCcOZHsHunPgCenC/dcgQA=
=ZToV
-----END PGP SIGNATURE-----

--qnXg4XDnIXoXUlbEEUD0WgEGRGX0aOXCi--