qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] German BSI analysed security of KVM / QEMU

From: Cornelia Huck
Subject: Re: [Qemu-devel] German BSI analysed security of KVM / QEMU
Date: Fri, 13 Oct 2017 11:37:08 +0200 
On Fri, 13 Oct 2017 11:10:05 +0200
Stefan Weil <address@hidden> wrote:

> Hi,
> 
> the German Bundesamt für Sicherheit in der Informationstechnik
> (Federal Office for Information Security) published a study on
> the security of KVM and QEMU:
> 
> https://www.bsi.bund.de/DE/Publikationen/Studien/Sicherheitsanalyse_KVM/sicherheitsanalyse_kvm.html
> 
> (article only available in German)

Thanks for posting this!

I only looked at the conclusion for now. Some interesting points:

- They state that QEMU's source code is well structured, readable and
  maintainable. I wonder what kind of source code they usually deal
  with ;)
- Most problems noted seemed to be related to signed<->unsigned
  conversions, but none were found to be exploitable.
- They liked hardening via stack protection, NX, and ASLR, as well as
  the mechanisms used by libvirt.
- They generally seemed to be happy with QEMU being deployed via
  libvirt.
- Restrictions imposed via KVM (guest access to some CPU registers)
  scored positive points. They did not like that Hyper-V and PMU were
  not deconfigurable.
- Lack of support for encryption/signing of network-based images was
  criticized. They ended up using Ceph and GlusterFS, which they were
  reasonably happy with.

That's just from a quick browse.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]