csw2017 qiang li zhibinhu_meiwang_dig into qemu security
TRANSCRIPT
![Page 1: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/1.jpg)
Dig into qemu security
Qiang Li & Zhibin Hu & Mei Wang /Qihoo 360 Gear Team CanSecWest 2017
![Page 2: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/2.jpg)
About us
2
l Qihoo360l OneofthemostfamoussecuritycompanyinChina
l GearTeaml Mainlyfocusonthecloudsecurityl Xen,QEMU,OpenSSL,NTP,Firefox,etcl Veryyoungandpassionalteaml 100+CVElastyearl Especially70+CVEfromQEMU
![Page 3: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/3.jpg)
Agenda
3
l QEMUintroducKonl QEMUaLacksurfacesl ALackfrominternall ALackfromexternall ThoughtsinQEMUsecuritystudy
![Page 4: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/4.jpg)
4
QEMU introduction
![Page 5: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/5.jpg)
QEMU introduction
5
l Qemuiswidelyusedemulator,itcandoFullsystem/UsermodeemulaKon
l ImplementinSoRware
l AcceleratedbyKVM/XEN
![Page 6: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/6.jpg)
QEMU introduction
6
l QEMUisanormalusermodeprocess
l QEMU’svirtualaddressspaceisusedasguest’sRAM
l QEMU’sthreadactasguestvCPU
![Page 7: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/7.jpg)
QEMU introduction
7
l Qemucommunicatewithkvmthroughkvmchardevicel Generallyguestcodecandirectlyrunon
naKvecpul WhenrunningsensiKveinstrucKons,itwilltrapintokvmbyvm-exitinstrucKon,codecontroltransferfromqemutokvml IftheexiteventisIOevent,itwillthendispatchtoqemu
![Page 8: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/8.jpg)
8
QEMU attack surfaces
![Page 9: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/9.jpg)
QEMU attack surfaces
9
l Mostsecurityissueiscausedbyhandlinguntrusteddataincorrectly
l Importantthingisthedataflowandwhatdatawecancontrol
l Datafrominternal,mainlyfromtheguests,mostfromguest’sdeviceemulator
l Datafromexternal,vnc/spice/qmp,etc
![Page 10: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/10.jpg)
QEMU attack surfaces - from internal
10
l DeviceemulaKonofqemuhaslotsofvulnerabiliKesincludesomecriKcalones
l FullemulaKonisdiscussedalot,butvirKoisnot,
virKoisveryusefulforimprovingperformance,wewilltalkaboutvirKolater
l Forconvenience,mostvirtualizaKonproduct
installaagentintheguest,qemuhasitsguestagent(qga),notpowerfulasvmwaretoolsandlessvulnerable
![Page 11: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/11.jpg)
QEMU attack surfaces - from external
11
l VNCisusedforremotedesktopaccess,notonlyusedinVMs
l Spiceislikevnc,butusuallyusedforremoteaccesstoVMs,containsfourparts:protocol,client,server,guest
l QEMUMachineProtocol(QMP),lightweighttext
basedprotocol,allowsapplicaKoninteractwithQEMU
l Maliciousimage
![Page 12: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/12.jpg)
12
Attack from internal
![Page 13: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/13.jpg)
Attack from internal - device emulation
13
l QemudeviceemulatorsarethebiggestsourceofvulnerabiliKes
l FullvirtualizaKon/paravirtualizaKon
l The3rdlibrarydrivers,likevirglrenderer
![Page 14: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/14.jpg)
Attack from internal - device emulation
14
l MostofthedevicesarebasedonsoRwareemulaKon
l GuestisunawareoftheunderlyingvirtualizaKonenvironment,soqemuwilldolotsofworktoimplementit
l Therearemanydevicesshouldbeemulated,suchasdifferentkindsofdisk,networkcard,etc
![Page 15: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/15.jpg)
Attack from internal - device emulation
15
l PCIdevicesexposeBAR(BaseAddressRegister)toOS,soOScaninteractwithdevices,QEMUshouldprovidethislayerindeviceemulaKonaswell
l TheguestOSinteractswiththedevicebyreadingandwriKngtotheBARsregisteredbythedevice,thisoperaKonstrapintotheKVManddispatchbacktoQEMUcallbackhandlerswhichareregisteredwhiledeviceiniKalizing�
![Page 16: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/16.jpg)
Attack from internal - device emulation
16
l Ifwedon’tconsideraboutKVM,justregarditasasimpleproxy
l Guestdataisuntrustedandcanbemalicious,itwillcausevulnerabiliKesinQEMU
l Dataflowwouldbesimplify:Guest->QEMU
![Page 17: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/17.jpg)
Attack from internal - device emulation
17
l TwotypesofBARs:IOport&MMIO
l Wecanread/writeIOport/MMIOtotriggerflawsinQEMU
l MaliciouskernelmodulecanactasadevicedriverbyreadingorwriKngitsBARS
![Page 18: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/18.jpg)
Attack from internal - example
18
l WefoundaflawinCirrusVGAdriver
l WhenVGAcopydatabyBitbltinbackwardmodewilltriggerthisbug
l WecanuseittodoOOBread/write
![Page 19: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/19.jpg)
Attack from internal - example
19
Itisthepatchforthisbug,whencalculateminvariable,itforgetstodecreases->cirrus_blt_widthandcausetheOOBread/write�
ItistheexecuKonflow,whenguestwritetovgaioport,kvmdispatchtheioeventtoqemucirrusvgadriver �
![Page 20: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/20.jpg)
Attack from internal - virtio
20
l VirKoisforioparavirtualizaKon
l Ithasfront-endinguest,back-endinqemu
l Theydodataexchangebyvringmechanism
![Page 21: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/21.jpg)
Attack from internal - virtio
21
l Theguestadddatatovring’sinbuffer,whenthedataisready,itwilltriggerakicktonoKceQEMU
l QEMUreceivethenoKceandpullthedatafromguestandprocessit
l ARerQEMUcompletelyhandletherequest,itwillpushtheresulttovring’soutbuffer
l Maliciousguestcanwritecorruptdatatoqemuthroughvring
![Page 22: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/22.jpg)
Attack from internal - virtio
22
l EveryvirKodevicehasoneormorevqueues,andeveryvqueuehasahandlertoprocessdata
l DuringdevicecreaKon,itregisterthehandlertothevqueue
l Inthecallback,itwillpoptherequestfromguestandthenprocess
l EveryvirKodevicehasthesamedataprocessingmodel
![Page 23: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/23.jpg)
Attack from internal - example
23
l VirtFSisaparavirtualizedfilesystem,usedtosharefilesbetweenhostandguest
l ItusesvirKomodel,wecanseev9fsclientintheguestandv9fsserverintheqemu,theyexchangedatathroughvring
![Page 24: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/24.jpg)
Attack from internal - example
24
l V9fshasavqueuehandlerforeveryrequest,likev9fs_readfuncKon
l Itwillunmarshaltheargumentsfromguest,andmostimportantthingistheargumentsaretotallycontrolledbyguest
l Vulnerabilitywouldoccurifthehandlerfailedtodosanitycheckingcarefully
![Page 25: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/25.jpg)
Attack from internal - example
25 Wefoundaflawinv9fsdriver,itisaintegeroverflowbug,write_countissignedinteger,butoffandcountisunsigned,whentheydosubtracKon,itwillcauseintegeroverflow,andthentriggerbufferoverflowviamemcpy�
![Page 26: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/26.jpg)
Attack from internal - third party library
26
l QEMUusessomethirdpartylibraries,likegpuvirKodevice
l Virglrendererisathirdpartylibrary,andQEMUgpudeviceusesittoaccelerate3Drendering
l AlotofvulnerabiliKeswefoundinthislibCVE-2017-6386,CVE-2017-6355,CVE-2017-6317,CVE-2017-6210,CVE-2017-6209,CVE-2017-5994,CVE-2017-5993,CVE-2017-5957,CVE-2017-5956,CVE-2016-10214,CVE-2017-5937,CVE-2016-10163,CVE-2017-5580
![Page 27: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/27.jpg)
Attack from internal - third party library
27
FuncKonsintheredboxhavebeenfoundvulnerabiliKes,becausetheyfailedtocheckdatacarefully�
LetusrecalltheframeworkofvirKointheleRpicture�
![Page 28: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/28.jpg)
28
Attack from external
![Page 29: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/29.jpg)
Attack from external - vnc
29
l VNCisfordesktopsharingsystembasedonRFBprotocol
l QEMUhasabuilt-invncserver
l SeveralvulnerabiliKeshasbeenfoundinthismodule
![Page 30: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/30.jpg)
Attack from external - example
30 WefoundaDOSbuginVNCmodule.Whenwesetred_maxtozero,itwillcrashtheqemuviadividebyzero �
![Page 31: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/31.jpg)
Attack from external - spice
31
l Spiceisananotherwayforremoteaccessingtoguest
l Ithasfourparts:Protocol,Client,Serverandguest
l VulnerabiliKescanexistinsomewhere:
qxldriveringuest->deviceinQEMUspiceclient->spiceserverinQEMU
![Page 32: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/32.jpg)
Attack from external - example
32
Wediscoverthisissuealone,butsomeonehasbeenalreadyfoundit.Thisissuecanbetriggeredbyremoteclient.WhenclientconnecttospiceserverinQEMU,itwillcallreds_handle_read_link_donefuncKon,thelink_messvariableisthepacketpointer,andnum_channel_capsandnum_common_capsareallcontrolledbyremoteclient,itcantriggeraintegeroverflowbug,andthencausememorycorrupt�
![Page 33: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/33.jpg)
Attack from external - qmp
33
l HMP/QMPisusedtointeractwithQEMU
l Lightweight,text-baseddataformat
l Veryuseful,suchascapabiliKesnegoKaKon,device(un)hotplug…
![Page 34: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/34.jpg)
Attack from external - example
34
Wefoundaflawinhmpmodule,ittriggersarrayoutofrangeaccess,thencausememorycorrupt�
![Page 35: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/35.jpg)
35
ThoughtsinQEMUsecuritystudy
![Page 36: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/36.jpg)
Thoughts in QEMU security study
36
l Auditcodebysomepeopleviz.codereview-limitbyenergy,brainmemory,associaKveability…
l Fuzzing-limitbycomprehendingprogrambehavior…
l Bothwayshaveshortcomings
![Page 37: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/37.jpg)
Thoughts in QEMU security study
37
l Fuzzingisusingamodelrepeatedlytryingandlearning
l SomeKmeswecan’testablishthemodelorimplementit
l Sowewouldsay“Thisflawcannotbefoundbyfuzzing”
�
![Page 38: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/38.jpg)
Thoughts in QEMU security study
38
l Themostefficientwaytofindbugsis:Knowledge+fuzzingl AFLjustknowsaliLlemoreaboutprogramrunning,butitisfarmoreefficientthandumbfuzzersl Knowledgeisimportant,fuzzingisefficient,combinaKoniscomplex:we’reconKnueimprovingourmethodstofindbugs,andmaysharenewstudiesinthefurture�
![Page 39: CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security](https://reader031.vdocument.in/reader031/viewer/2022021813/58d0e9131a28abba558b58eb/html5/thumbnails/39.jpg)
39
Thank you Qiang Li && Zhibin Hu && Mei Wang
Gear Team, Qihoo 360 Inc