Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

QEMU Attack Surface and Security Internals

Qiang Li

This paper has been accepted.

QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen. As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device. These makes QEMU very complex and exposes a lot of attack surfaces. In this year, I did a deep vulnerability discovery in QEMU and discovered 60+ vulnerabilities and got 70+ CVE now. I have summarized kinds of the attack surface and vulnerability types in QEMU.

In this presentation, I will talk about the attack surfaces of QEMU and how to discover vulnerabilities in these attack surface.The talk will contain the following parts:

1. A brief introduction to virtualization and qemu/kvm.

2. qemu attack surfaces---from the vm

This will contain the internals of device emulation---one of the most attack surfaces in qemu. This will contain the virtio device, once has not been discussed in security conference. And I will talk about the kinds of vulnerability in device emulation.

3. qemu attack surfaces---from the external

This will contains the vnc/spice/qmp/, these is used to interact with qemu from outside.This can be used to make a remote attack.

4. summary - I will give a summary of the vulnerabilities I/our team have found.

About Qiang Li

Qiang Li is a security researcher of Gear Team at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He is currently working on cloud and virtualization security and discovered a lot of vulnerabilities in the last year and got 70+ CVE now. He has made some talks in security conference, Ruxcon 2017(Melbourne), ISC 2016(Beijing) and will make a talk in CanSecWest 2017(Canada).

About ZhiBin Hu

ZhiBin Hu is a security researcher of Gear Team at Qihoo 360, last several years mainly focus on vulnerability discovery  and analysis on windows, and receive msrc top 19 in 2015. Recent two years interested in cloud security. He has made talks on several conference, such as Ruxcon 2016, RootedCON 2017 and will give a talk in CanSecWest 2017.