Hacker News new | ask | show | jobs
by fleventynine 928 days ago
> if I spin up a VM with networking disabled I feel pretty confident I can run anything safely, even malware is not going to escape.

You are putting too much faith in your VM monitor to keep you safe. There's a lot of attack surface in (for example) QEMU peripherals, and there's plenty of examples of VM escape [1]. CrosVM is probably the only publicly available VMM I'd be willing to trust, and even then I'd be nervous running state-sponsored malware on a machine with important data.

[1] https://www.google.com/search?q=qemu+vm+escape
3 comments
bonzini 928 days ago
While QEMU uses C, which is not great, it has on its side 15+ years of hardening by the KVM developers. The problem with QEMU is not so much insecurity, it's that it contains the kitchen sink.

However, most of the exploits you'll find in QEMU are against configurations that are never used in real world virtualization scenarios where guests are untrusted. You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.

For a while, slirp was the remaining major issue because it was used way beyond the original intention. But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking.

link
ungamedplayer 928 days ago
> You can recognize them because hardware not commonly used with untrusted guests does not get a CVE.

This is not true. Even non default configuration of any software or hardware that contains a security vulnerability can get a CVE. It has in the past and will again in the future.

Source: I have assigned over 2000 cves for the kernel.

link
bonzini 928 days ago
Yes, and the policy of QEMU is to not assign CVEs for bugs that would generally be hit only when QEMU is used as a development platform, as opposed to using it to offer virtualization services.

https://www.qemu.org/contribute/security-process/

We are colleagues by the way. :)

link
worthless-trash 928 days ago
> We are colleagues by the way. :)

I'm aware, I see you comment here regularly.

QEMU doesn't have to assign CVE's but any other CNA can. I do not believe that its good security or even good practice to negotiate out of exploitable flaws. Its a dis-service to users.

I don't have enough skin in the game to change upstream QEMU's mind on this, systems in exploitable configurations are just as exploitable with or without a CVE assigned. People with exploitable configurations now just can't find out there is a problem.

link
bonzini 927 days ago
The question is whether something is exploitable or just a crash. It is also a disservice to user to worry them about having to do an immediate update and evacuation of all hosts because of an out of bounds access in Gravis Ultrasound emulation.

Would any crash in GCC be a vulnerability because compilers are fed untrusted source code? Perhaps, but in practice godbolt.org is going to be the only case in which you care.

link
worthless-trash 927 days ago
Crashes are classifed as a denial of service, which is CVE. Imagine how mad any cloud host would be if they found you could crash the host from the guest.

> Would any crash in GCC be a vulnerability because compilers are fed untrusted

> source code? Perhaps, but in practice godbolt.org is going to be the only

> case in which you care.

"Untrusted" is one those other fine lines that makes assigning and rating difficult and not something that is taken lightly. Compiling software as a user with additional capabilities, could escalate an attackers position assuming they can inject code into the tree to be built. It would be easier to abuse 'make' to execute code, however this is different than the qemu use case.

The QMEU "development" case could (and likely is) someones regular runtime use case. I dont see a clean way for the qmeu team to communicate this, and even if they did, privesc is privsec. Until we as an industry have a clear definition of what we will and wont "support" and users are familiar with the expectations, we're stuck with the hand we've been dealt.

Hopefully that all makes sense, none of it is said to antagonise or draw hate.

link
csdvrx 927 days ago
> But now it's been tamed and there's also passt, a much higher performance and much more secure implementation of user-mode networking

In case anyone else needs a link: http://blog.vmsplice.net/2021/10/a-new-approach-to-usermode-...

link
monocasa 928 days ago
I'd probably trust firecracker too since it was designed specifically to avoid qemu's attack surface and runs in production for Amazon.
link
my123 928 days ago
Qemu also runs in production darn near everywhere, especially on Xen.
link
surajrmal 928 days ago
It also happens to be a fork of crosvm
link
monocasa 928 days ago
It is not, but they do share some code.
link
surajrmal 928 days ago
According to their own FAQ it is indeed: https://github.com/firecracker-microvm/firecracker/blob/main...
link
surajrmal 928 days ago
Luckily android is using crosvm
link