Comment by rrdharan

6 years ago

> QEMU... has a pretty good security record

That's an interesting and I would argue, contrarian take?

https://www.theregister.co.uk/2017/01/30/google_cloud_kicked...

"QEMU has a long track record of security bugs, such as VENOM, and it's unclear what vulnerabilities may still be lurking in the code."

3 comments

rrdharan

Reply
slpnix  6 years ago

I think the slide 14 from the talk "Reports of my Bloat Have Been Greatly Exaggerated" [1] presented by Paolo Bonzini at KVM Forum 2019 gives some good perspective about QEMU's security track:

"Of the top 100 vulnerabilities reported for QEMU:

- 65 were not guest exploitable

- 3 were not in QEMU :)

- 5 did not affect x86 KVM guests

- 3 were not related to the C language

- Only 6 affected devices normally used for IaaS

The most recent of these 6 was reported in 2016"

The rest of this talk was also very interesting. I encourage everyone with 10 minutes to spare and an interest in VMMs to take a look at the slides.

[1] https://static.sched.com/hosted_files/kvmforum2019/c6/kvmfor...

  • mato  6 years ago

    > "Of the top 100 vulnerabilities reported for QEMU:

    > - 65 were not guest exploitable

    > [...]

    Which leaves about 30 that presumably were guest exploitable.

    Don't get me wrong -- QEMU is useful. As a "kitchen sink" solution that runs anything, anywhere, with any useful combination of emulated {devices,processors,systems}.

    However, this is also its biggest weakness. Which is why Google and Amazon all run their own custom VMMs for their IaaS services.

    The microvm machine type as described here is a great step to improve this situation. The next step in my book would be to reconfigure QEMU's build system to allow building a binary that only supports the devices provided by microvm, and nothing else.

  • ketralnis  6 years ago

    > "Of the top 100 vulnerabilities reported for QEMU:

    > - 3 were not related to the C language

    wow