Re: [Qemu-devel] Re: Re: Killing KQEMU

[Paul Brook]

> > More like "impossible because it *should* never happen".  kqemu is not
> > known to be secure.
>
> Did you mean "kqemu is known to not be secure" or is this just FUD?

AFAIK noone has produced a real-work exploit, but see below.

> The KQEMU technical documentation on the QEMU website specifically
> stresses that no VM code is run at kernel level, so someone was thinking
> about security when it was written.

Absolutely not.

The fact that all guest code is run in ring3 is in no way in indication that 
the end result is secure. I know from experience[1] that there are many ways 
that such a VM an be compromised. Pretty much every mainstream x86 operating 
system in the last 15 years runs application code in ring3, but that doesn't 
mean they're even vaguely secure.

My understanding is that kqemu is known to not work correctly under certain 
circumstances. It's possible that this never occurs when common guest 
operating systems are operating normally. However if a guest is compromised it 
is likely that it will be able to either compromise or DoS(crash) the host 
machine.  Empirical evidence suggests that in practice this happens even 
without malicious intent.

Paul

[1] I wrote a prototype kqemu equivalent, so have been intimately familiar 
with many of the things that can go wrong.