From: "Alex Bennée" <alex.bennee@linaro.org>
To: Rowan Hart <rowanbhart@gmail.com>
Cc: qemu-devel@nongnu.org,
"Pierrick Bouvier" <pierrick.bouvier@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Yanan Wang" <wangyanan55@huawei.com>,
"Mahmoud Mandour" <ma.mandourr@gmail.com>,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Alexandre Iooss" <erdnaxe@crans.org>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Eduardo Habkost" <eduardo@habkost.net>
Subject: Re: [PATCH v12 5/7] plugins: Add memory hardware address read/write API
Date: Fri, 20 Jun 2025 14:36:17 +0100 [thread overview]
Message-ID: <87pleysffy.fsf@draig.linaro.org> (raw)
In-Reply-To: <168f9716-1b1c-42fe-9be8-f6b895a9095f@gmail.com> (Rowan Hart's message of "Tue, 17 Jun 2025 08:46:11 -0700")
Rowan Hart <rowanbhart@gmail.com> writes:
>> My main concern about the long list of caveats for writing memory is the
>> user will almost certainly cause weird things to happen which will then
>> be hard to debug. I can see the patcher example however it would be
>> useful to know what other practical uses this interface provides.
>>
> Of course! My main personal intent here is to facilitate introspection
> and manipulation of guest state for security analysis. Some examples
> of why the memory/register R/W primitives are necessary here include:
>
> Fuzzing:
> - Read registers and memory for tracing control flow, comparison
> operands, and profiled values (e.g. memcmp arguments)
> - Write memory to inject test cases into the guest (for me and other
> fuzzer developers, this is the biggest reason!)
> - Write registers to reset execution or skip over complex checks like
> checksums
> - Read and write memory, and read and write registers, to do basic
> snapshot/restore by tracking dirty pages and resetting them
>
> Virtual Machine Introspection (for malware analysis and reverse
> engineering):
> - Read memory and registers to find kernel, analyze kernel structures,
> and retrieve info like process lists, memory mappings
> - Read memory and registers to quickly trace malware execution in VM
> - Write memory and registers to test behavior under various
> conditions, like skipping into checks (motivating example: what
> happens if you skip into the kill switch statement for WannaCry)
>
> Runtime patching (as in the example):
> - Writing memory to patch critical legacy code in production often can
> no longer be built or patched via means other than by applying
> binary patches (this is a real problem for e.g. the government, to
> the point where DARPA ran a program
> https://www.darpa.mil/research/programs/assured-micropatching to
> work on it!)
> - Writing registers to skip over broken code, redirect to patch code, etc.
>
> Ultimately, the caveats boil down to "don't modify stuff that's
> touched by currently executing code". I personally don't think that's
> unreasonable (as long as it's in the doc-strings) because for any
> plugin that needs to write memory, ensuring the write consistency is
> probably the easiest problem to solve and people working in this space
> are used to having way worse and jankier workarounds.
I dread to think what jankier workarounds are!
However I accept that a doc string warning will do for now. I think if
we can strengthen the guarantee at a later date to make the feature more
bullet proof we should. For example we could use start/end_exclusive to
halt the other threads while patching is taking place and then trigger a
full tb-flush to be safe. It depends how often we expect to be patching
things out?
Richard,
Do you have any view about this?
> These plugin
> functions make life way easier for them. I have been in touch with 20+
> people from various companies and projects (including Microsoft, where
> I work, as well as other big and small tech) all working on plugins
> that could be better if this feature existed, so there is definitely a
> user-base and appetite for it!
>
> The last cool use-case is that this moves us a long way towards
> cleaning up the large number of QEMU forks out there designed for RE
> and security testing like QEMU-Nyx, qemuafl, symqemu, and many more.
> Instead of maintaining forks of QEMU (many of these are based on 4.2.0
> or older!) folks can just maintain a plugin, which lets them take
> advantage of updates and fixes without giant rebases. My goal is to
> kill these forks and have these projects write small, maintainable
> plugins instead, and the authors are on board :)
Absolutely - I would like to see that too. The main reason those forks
haven't been up-streamable is because they have to make fairly invasive
changes to the frontends to do their instrumentation. I want to grow the
API to the point we can support these more advanced use cases. I am
however being conservative in adding new APIs so we take the time to get
each one right and minimise:
- leaking internal details and constricting future evolution of the emulator
- giving the users too many foot guns in the API
I'll have a look at the next version and see how we are doing.
--
Alex Bennée
Virtualisation Tech Lead @ Linaro
next prev parent reply other threads:[~2025-06-20 13:37 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-11 23:24 [PATCH v12 0/7] Add additional plugin API functions to read and write memory and registers Rowan Hart
2025-06-11 23:24 ` [PATCH v12 1/7] gdbstub: Expose gdb_write_register function to consumers of gdbstub Rowan Hart
2025-06-11 23:24 ` [PATCH v12 2/7] plugins: Add register write API Rowan Hart
2025-06-11 23:24 ` [PATCH v12 3/7] plugins: Add enforcement of QEMU_PLUGIN_CB flags in register R/W callbacks Rowan Hart
2025-06-11 23:24 ` [PATCH v12 4/7] plugins: Add memory virtual address write API Rowan Hart
2025-06-11 23:24 ` [PATCH v12 5/7] plugins: Add memory hardware address read/write API Rowan Hart
2025-06-17 10:24 ` Alex Bennée
2025-06-17 15:46 ` Rowan Hart
2025-06-20 13:36 ` Alex Bennée [this message]
2025-06-17 17:38 ` Pierrick Bouvier
2025-06-11 23:24 ` [PATCH v12 6/7] plugins: Add patcher plugin and test Rowan Hart
2025-06-13 15:19 ` Pierrick Bouvier
2025-06-17 10:35 ` Alex Bennée
2025-06-11 23:24 ` [PATCH v12 7/7] plugins: Update plugin version and add notes Rowan Hart
2025-06-12 3:41 ` [PATCH v12 0/7] Add additional plugin API functions to read and write memory and registers Rowan Hart
2025-06-13 15:19 ` Pierrick Bouvier
2025-06-13 15:57 ` Alex Bennée
2025-06-19 16:20 ` Rowan Hart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pleysffy.fsf@draig.linaro.org \
--to=alex.bennee@linaro.org \
--cc=eduardo@habkost.net \
--cc=erdnaxe@crans.org \
--cc=ma.mandourr@gmail.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=rowanbhart@gmail.com \
--cc=wangyanan55@huawei.com \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).