QEMU Attack Surface and Security Internals


QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen. As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device. These makes QEMU very complex and exposes a lot of attack surfaces. In this year, we did a deep vulnerability discovery in QEMU and discovered 60+ vulnerabilities and got 70+ CVE now. We have summarized kinds of the attack surface and vulnerability types in QEMU.

In this presentation, we will talk about the attack surfaces of QEMU and how to discover vulnerabilities in these attack surface. The talk will contain the following parts:

1. A brief introduction to virtualization and qemu/kvm.

2. qemu attack surfaces—from the vm

This will contain the internals of device emulation—one of the most attack surfaces in qemu. This will contain the virtio device, once has not been discussed in security conference. And we will talk about the kinds of vulnerability in device emulation.

3. qemu attack surfaces—from the external

This will contains the vnc/spice/qmp/, these is used to interact with qemu from outside. This can be used to make a remote attack.

4. Summary – We will give a summary of the vulnerabilities our team has found.

Location: BALLROOM 1 Date: August 25, 2017 Time: 3:00 pm - 4:00 pm Qiang Li ZhiBin Hu