Re: [Qemu-devel] QEMU - Security Research Questions

Thu, 06 Oct 2016 09:28:09 -0700 

On 10/06/2016 03:27 AM, Markus Armbruster wrote:
> Paolo Bonzini <pbonz...@redhat.com> writes:
> 
>> On 06/10/2016 02:10, Joey Connelly wrote:
>>> Hey QEMU dev group,
>>> I'm a graduate student at Boise State University working on my thesis
>>> involving Virtualization/Cloud Computing Security and I wanted to ask a few
>>> questions:
>>>
>>> *[QUESTION#1.]* From within a guest KVM/QEMU process (qemu-system-x86_64
>>> -enable-kvm) can the VM invoke commands on its host - either through QEMU
>>> Monitor Console commands, or by some other means I'm unaware of?
>>>
>>> *[QUESTION#**2.]* Can a host administrator running a guest KVM/QEMU process
>>> have QEMU Monitor Console commands invoked on that guest VM if *no*
>>> "-monitor" option was used?
>>>
>>> *[QUESTION#**3.]* If a host admin creates a KVM/QEMU process with the
>>> "qemu-system-x86_64 -enable-kvm -netdev tap,<...>" options is there a
>>> KVM/QEMU specific way to query the "tap,<...>" information later after the
>>> process has been created? (assuming your admin account maintains ring 0
>>> permissions)
>>
>> No to all three.
> 
> The pedantically correct answer to #2 would be "not easily": you'd have
> to play games with a debugger.

In which case, the pedantically correct answer to #1 is "if there is,
then that's a CVE and please tell us so we can plug it".  You can track
recent qemu CVEs to see where we have been fixing such issues as they
get reported.

Note also that a host can choose whether to rely on the guest (for
example, that's what qga is all about); and it is feasible that you
could use qga or a similar channel where a host and guest can cooperate
such that the host will act on behalf of a guest request - but that such
interaction is up to the host to permit, and should only be permitted
for trusted guests.  A guest by itself should never be able to drive
host behavior without host permission first, and a host should never
rely on qga or other channels to an untrusted guest.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to