From: Blue Swirl <blauwirbel@gmail.com>
To: Roberto Paleari <roberto@security.dico.unimi.it>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] QEMU testing methodology & results
Date: Fri, 8 Apr 2011 22:56:37 +0300 [thread overview]
Message-ID: <BANLkTi=RKMCs3GmrkfT9Njq9=z5HB4a7Lw@mail.gmail.com> (raw)
In-Reply-To: <BANLkTim--Mr+j+WX3fPEceAfPC_Xwwaaiw@mail.gmail.com>
On Fri, Apr 8, 2011 at 10:18 AM, Roberto Paleari
<roberto@security.dico.unimi.it> wrote:
> Dear QEMU developers,
>
> we are a group of researchers working at the University of Milan,
> Italy. During the last year we focused on automatic techniques to find
> defects inside CPU emulators and virtualizers. Our work has been
> published in different conference papers [1][2][3], and the testing
> methodologies we developed allowed us to find defects in several
> emulators and virtualizers, including QEMU.
Very interesting!
The test case generation is a bit like crashme program, but more
intelligent. It would be nice to integrate something like this to QEMU
as a test suite instead of manually written assembly programs.
KEmuFuzzer seems to be more general. The approach of the patch is a
bit intrusive. But there are similarities with it and GDB interface,
tracepoints and other instrumentation needs, so it may be possible to
work out a common solution.
I don't think it is possible to avoid red pills. Even with the fastest
hardware assisted emulator, it may be possible to make a program to
detect systematic distortions in the clock speed. Lack of cache
emulation may be easy to detect. The devices that QEMU provides are so
old that a machine with those devices can be considered to be QEMU by
the red pill. And so on.
> In these days we were asked to publicly release our experimental
> results. As these results also include several defects in QEMU, we
> believed it was better to contact you before releasing this material
> to the public.
>
> For this reason, we ask to whom it may concern to contact us privately
> at emufuzzer@security.dico.unimi.it to discuss about the disclosure of
> these results.
I'd vote for full disclosure and open discussion on this list, but I
suppose the distro people may have business interests to protect.
Though the papers may already give the black hats enough ideas how to
find the defects.
next prev parent reply other threads:[~2011-04-08 19:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-08 7:18 [Qemu-devel] QEMU testing methodology & results Roberto Paleari
2011-04-08 19:56 ` Blue Swirl [this message]
2011-04-10 19:10 ` Roberto Paleari
2011-04-27 14:46 ` Stefan Hajnoczi
2011-04-27 15:31 ` Roberto Paleari
2011-04-28 19:09 ` Blue Swirl
2011-04-28 19:44 ` Anthony Liguori
2011-04-29 0:17 ` Peter Maydell
2011-04-29 8:33 ` Paolo Bonzini
2011-04-29 21:35 ` Blue Swirl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTi=RKMCs3GmrkfT9Njq9=z5HB4a7Lw@mail.gmail.com' \
--to=blauwirbel@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=roberto@security.dico.unimi.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).