[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] German BSI analysed security of KVM / QEMU
From: |
Stefan Weil |
Subject: |
Re: [Qemu-devel] German BSI analysed security of KVM / QEMU |
Date: |
Fri, 13 Oct 2017 12:30:32 +0200 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Am 13.10.2017 um 11:37 schrieb Cornelia Huck:
> On Fri, 13 Oct 2017 11:10:05 +0200
> Stefan Weil <address@hidden> wrote:
>
>> Hi,
>>
>> the German Bundesamt für Sicherheit in der Informationstechnik
>> (Federal Office for Information Security) published a study on
>> the security of KVM and QEMU:
>>
>> https://www.bsi.bund.de/DE/Publikationen/Studien/Sicherheitsanalyse_KVM/sicherheitsanalyse_kvm.html
>>
>> (article only available in German)
> Thanks for posting this!
>
> I only looked at the conclusion for now. Some interesting points:
>
> - They state that QEMU's source code is well structured, readable and
> maintainable. I wonder what kind of source code they usually deal
> with ;)
> - Most problems noted seemed to be related to signed<->unsigned
> conversions, but none were found to be exploitable.
> - They liked hardening via stack protection, NX, and ASLR, as well as
> the mechanisms used by libvirt.
> - They generally seemed to be happy with QEMU being deployed via
> libvirt.
> - Restrictions imposed via KVM (guest access to some CPU registers)
> scored positive points. They did not like that Hyper-V and PMU were
> not deconfigurable.
> - Lack of support for encryption/signing of network-based images was
> criticized. They ended up using Ceph and GlusterFS, which they were
> reasonably happy with.
>
> That's just from a quick browse.
I already found some weaknesses in the study:
* It makes the wrong assumption that all maintainers have write access
to the git repository. (chapter 5.3)
* It does not mention important quality measures like Coverity Scan,
Continuous Integration and automated tests.
So QEMU is even better than the BSI thinks. :-)
Stefan
- [Qemu-devel] German BSI analysed security of KVM / QEMU, Stefan Weil, 2017/10/13
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Cornelia Huck, 2017/10/13
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Daniel P. Berrange, 2017/10/13
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Cornelia Huck, 2017/10/13
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Kevin Wolf, 2017/10/16
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Daniel P. Berrange, 2017/10/16
- Re: [Qemu-devel] [Qemu-block] German BSI analysed security of KVM / QEMU, Alberto Garcia, 2017/10/16
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU, Kevin Wolf, 2017/10/16
- Re: [Qemu-devel] German BSI analysed security of KVM / QEMU,
Stefan Weil <=