Re: [Qemu-devel] QEMU - Security Research Questions

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] QEMU - Security Research Questions

From:	Eric Blake
Subject:	Re: [Qemu-devel] QEMU - Security Research Questions
Date:	Thu, 6 Oct 2016 11:07:50 -0500
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0

On 10/06/2016 03:27 AM, Markus Armbruster wrote:
> Paolo Bonzini <address@hidden> writes:
> 
>> On 06/10/2016 02:10, Joey Connelly wrote:
>>> Hey QEMU dev group,
>>> I'm a graduate student at Boise State University working on my thesis
>>> involving Virtualization/Cloud Computing Security and I wanted to ask a few
>>> questions:
>>>
>>> *[QUESTION#1.]* From within a guest KVM/QEMU process (qemu-system-x86_64
>>> -enable-kvm) can the VM invoke commands on its host - either through QEMU
>>> Monitor Console commands, or by some other means I'm unaware of?
>>>
>>> *[QUESTION#**2.]* Can a host administrator running a guest KVM/QEMU process
>>> have QEMU Monitor Console commands invoked on that guest VM if *no*
>>> "-monitor" option was used?
>>>
>>> *[QUESTION#**3.]* If a host admin creates a KVM/QEMU process with the
>>> "qemu-system-x86_64 -enable-kvm -netdev tap,<...>" options is there a
>>> KVM/QEMU specific way to query the "tap,<...>" information later after the
>>> process has been created? (assuming your admin account maintains ring 0
>>> permissions)
>>
>> No to all three.
> 
> The pedantically correct answer to #2 would be "not easily": you'd have
> to play games with a debugger.

In which case, the pedantically correct answer to #1 is "if there is,
then that's a CVE and please tell us so we can plug it".  You can track
recent qemu CVEs to see where we have been fixing such issues as they
get reported.

Note also that a host can choose whether to rely on the guest (for
example, that's what qga is all about); and it is feasible that you
could use qga or a similar channel where a host and guest can cooperate
such that the host will act on behalf of a guest request - but that such
interaction is up to the host to permit, and should only be permitted
for trusted guests.  A guest by itself should never be able to drive
host behavior without host permission first, and a host should never
rely on qga or other channels to an untrusted guest.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] QEMU - Security Research Questions, Joey Connelly, 2016/10/05
- Re: [Qemu-devel] QEMU - Security Research Questions, Paolo Bonzini, 2016/10/06
  - Re: [Qemu-devel] QEMU - Security Research Questions, Markus Armbruster, 2016/10/06
    - Re: [Qemu-devel] QEMU - Security Research Questions, Eric Blake <=
    - Re: [Qemu-devel] QEMU - Security Research Questions, Kevin Wolf, 2016/10/07

Prev by Date: [Qemu-devel] [PATCH v5 08/17] vfio: Pass an Error object to vfio_connect_container
Next by Date: [Qemu-devel] [PATCH v5 06/17] vfio/pci: Pass an error object to vfio_add_capabilities
Previous by thread: Re: [Qemu-devel] QEMU - Security Research Questions
Next by thread: Re: [Qemu-devel] QEMU - Security Research Questions
Index(es):
- Date
- Thread