From: Roberto Paleari <roberto@idea.sec.dico.unimi.it>
To: Blue Swirl <blauwirbel@gmail.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] QEMU testing methodology & results
Date: Sun, 10 Apr 2011 21:10:21 +0200 [thread overview]
Message-ID: <BANLkTinKdp+JtsjuSSV0rPY+0z9ouiP_tQ@mail.gmail.com> (raw)
In-Reply-To: <BANLkTi=RKMCs3GmrkfT9Njq9=z5HB4a7Lw@mail.gmail.com>
On Fri, Apr 8, 2011 at 9:56 PM, Blue Swirl <blauwirbel@gmail.com> wrote:
> Very interesting!
Thank you!
> KEmuFuzzer seems to be more general. The approach of the patch is a
> bit intrusive. But there are similarities with it and GDB interface,
> tracepoints and other instrumentation needs, so it may be possible to
> work out a common solution.
Yes, KEmuFuzzer is more general and more effective than EmuFuzzer, as
it can be also used to test privileged instruction.
> I don't think it is possible to avoid red pills. Even with the fastest
> hardware assisted emulator, it may be possible to make a program to
> detect systematic distortions in the clock speed. Lack of cache
> emulation may be easy to detect. The devices that QEMU provides are so
> old that a machine with those devices can be considered to be QEMU by
> the red pill. And so on.
I agree: it would be really difficult to avoid red pills at all.
However, in EmuFuzzer and KEmuFuzzer we are interested only in
"instruction-level" red pills. I mean, we focused only on possibile
defects in the implementation of the instruction semantics, so we do
not take into account possibile red pills caused by clock skews,
device IDs, and so on.
> I'd vote for full disclosure and open discussion on this list, but I
> suppose the distro people may have business interests to protect.
> Though the papers may already give the black hats enough ideas how to
> find the defects.
I agree: the papers already disclose some details that could allow
"black hats" to re-implement the same approaches and eventualy find
emulation defects. However, we prefered to contact QEMU developers
before disclosing the details of the defects we found.
Thank you!
Roberto
--
Roberto Paleari
http://roberto.greyhats.it/
PGP Key Fingerprint: F94C 1933 F61C 3948 7CDD 2C61 38C7 6116 833D D6A0
next prev parent reply other threads:[~2011-04-10 19:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-08 7:18 [Qemu-devel] QEMU testing methodology & results Roberto Paleari
2011-04-08 19:56 ` Blue Swirl
2011-04-10 19:10 ` Roberto Paleari [this message]
2011-04-27 14:46 ` Stefan Hajnoczi
2011-04-27 15:31 ` Roberto Paleari
2011-04-28 19:09 ` Blue Swirl
2011-04-28 19:44 ` Anthony Liguori
2011-04-29 0:17 ` Peter Maydell
2011-04-29 8:33 ` Paolo Bonzini
2011-04-29 21:35 ` Blue Swirl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BANLkTinKdp+JtsjuSSV0rPY+0z9ouiP_tQ@mail.gmail.com \
--to=roberto@idea.sec.dico.unimi.it \
--cc=blauwirbel@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).