From nobody Sun Apr 28 17:27:18 2024 Delivered-To: importer@patchew.org Received-SPF: temperror (zoho.com: Error in retrieving data from DNS) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1557404434; cv=none; d=zoho.com; s=zohoarc; b=bwc5y707NWWXcU2VK4X6f28ij31AMi+VREIxYOzbkrgyJRiyr//BywV/H4UoXARetkpHDSA+GcLcUyS9UUfYEn3pqf/tz+/4ay9Ou1sidz9aXDHWhBhnRjaJv9lGes27g2A8/Yqv9vcM6W/YpuCAt2O1V89K+clghENjKvdnL2w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1557404434; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=+HMRQ7KxJq0HyjIfwg0lJEsHlXE2WLVy2E2TRVlUIgg=; b=cYup446hOW8SOJr3q6Zb9xuBhGpXe/cVSdH3KnlIv3bpXa3JPzZlADqnpKIwQwjG2UheYp3PIKLJYBuDQQ8tqyboINNLZgJaEiLkDrPtKzvJBxEV5gQzG6H3M7CSJFny3Cy+E256ZSu9XyHNZorJd9zk2OLmTMrHvmVy1Cyew7s= ARC-Authentication-Results: i=1; mx.zoho.com; spf=temperror (zoho.com: Error in retrieving data from DNS) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by mx.zohomail.com with SMTPS id 1557404434523869.744515109814; Thu, 9 May 2019 05:20:34 -0700 (PDT) Received: from localhost ([127.0.0.1]:53544 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hOi2I-00005V-F1 for importer@patchew.org; Thu, 09 May 2019 08:20:30 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34090) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hOi0R-0007cS-Mv for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hOi0Q-0004hG-68 for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:38456) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hOi0P-0004gi-Sp for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:34 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1CBA03D95E; Thu, 9 May 2019 12:18:33 +0000 (UTC) Received: from localhost (ovpn-117-236.ams2.redhat.com [10.36.117.236]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E2B15E7A6; Thu, 9 May 2019 12:18:27 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Date: Thu, 9 May 2019 13:18:19 +0100 Message-Id: <20190509121820.16294-2-stefanha@redhat.com> In-Reply-To: <20190509121820.16294-1-stefanha@redhat.com> References: <20190509121820.16294-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 09 May 2019 12:18:33 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v3 1/2] docs: add Secure Coding Practices to developer docs X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Stefan Hajnoczi , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Stefano Garzarella Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" At KVM Forum 2018 I gave a presentation on security in QEMU: https://www.youtube.com/watch?v=3DYAdRf_hwxU8 (video) https://vmsplice.net/~stefan/stefanha-kvm-forum-2018.pdf (slides) This patch adds a guide to secure coding practices. This document covers things that developers should know about security in QEMU. It is just a starting point that we can expand on later. I hope it will be useful as a resource for new contributors and will save code reviewers from explaining the same concepts many times. Signed-off-by: Stefan Hajnoczi Acked-by: Stefano Garzarella Reviewed-by: Alex Benn=C3=A9e Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Li Qiang --- docs/devel/index.rst | 1 + docs/devel/secure-coding-practices.rst | 106 +++++++++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 docs/devel/secure-coding-practices.rst diff --git a/docs/devel/index.rst b/docs/devel/index.rst index ebbab636ce..2a4ddf40ad 100644 --- a/docs/devel/index.rst +++ b/docs/devel/index.rst @@ -20,3 +20,4 @@ Contents: stable-process testing decodetree + secure-coding-practices diff --git a/docs/devel/secure-coding-practices.rst b/docs/devel/secure-cod= ing-practices.rst new file mode 100644 index 0000000000..cbfc8af67e --- /dev/null +++ b/docs/devel/secure-coding-practices.rst @@ -0,0 +1,106 @@ +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Secure Coding Practices +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +This document covers topics that both developers and security researchers = must +be aware of so that they can develop safe code and audit existing code +properly. + +Reporting Security Bugs +----------------------- +For details on how to report security bugs or ask questions about potential +security bugs, see the `Security Process wiki page +`_. + +General Secure C Coding Practices +--------------------------------- +Most CVEs (security bugs) reported against QEMU are not specific to +virtualization or emulation. They are simply C programming bugs. Therefo= re +it's critical to be aware of common classes of security bugs. + +There is a wide selection of resources available covering secure C coding.= For +example, the `CERT C Coding Standard += `_ +covers the most important classes of security bugs. + +Instead of describing them in detail here, only the names of the most impo= rtant +classes of security bugs are mentioned: + +* Buffer overflows +* Use-after-free and double-free +* Integer overflows +* Format string vulnerabilities + +Some of these classes of bugs can be detected by analyzers. Static analys= is is +performed regularly by Coverity and the most obvious of these bugs are even +reported by compilers. Dynamic analysis is possible with valgrind, tsan, = and +asan. + +Input Validation +---------------- +Inputs from the guest or external sources (e.g. network, files) cannot be +trusted and may be invalid. Inputs must be checked before using them in a= way +that could crash the program, expose host memory to the guest, or otherwis= e be +exploitable by an attacker. + +The most sensitive attack surface is device emulation. All hardware regis= ter +accesses and data read from guest memory must be validated. A typical exa= mple +is a device that contains multiple units that are selectable by the guest = via +an index register:: + + typedef struct { + ProcessingUnit unit[2]; + ... + } MyDeviceState; + + static void mydev_writel(void *opaque, uint32_t addr, uint32_t val) + { + MyDeviceState *mydev =3D opaque; + ProcessingUnit *unit; + + switch (addr) { + case MYDEV_SELECT_UNIT: + unit =3D &mydev->unit[val]; <-- this input wasn't validated! + ... + } + } + +If ``val`` is not in range [0, 1] then an out-of-bounds memory access will= take +place when ``unit`` is dereferenced. The code must check that ``val`` is = 0 or +1 and handle the case where it is invalid. + +Unexpected Device Accesses +-------------------------- +The guest may access device registers in unusual orders or at unexpected +moments. Device emulation code must not assume that the guest follows the +typical "theory of operation" presented in driver writer manuals. The gue= st +may make nonsense accesses to device registers such as starting operations +before the device has been fully initialized. + +A related issue is that device emulation code must be prepared for unexpec= ted +device register accesses while asynchronous operations are in progress. A +well-behaved guest might wait for a completion interrupt before accessing +certain device registers. Device emulation code must handle the case wher= e the +guest overwrites registers or submits further requests before an ongoing +request completes. Unexpected accesses must not cause memory corruption or +leaks in QEMU. + +Invalid device register accesses can be reported with +``qemu_log_mask(LOG_GUEST_ERROR, ...)``. The ``-d guest_errors`` command-= line +option enables these log messages. + +Live Migration +-------------- +Device state can be saved to disk image files and shared with other users. +Live migration code must validate inputs when loading device state so an +attacker cannot gain control by crafting invalid device states. Device st= ate +is therefore considered untrusted even though it is typically generated by= QEMU +itself. + +Guest Memory Access Races +------------------------- +Guests with multiple vCPUs may modify guest RAM while device emulation cod= e is +running. Device emulation code must copy in descriptors and other guest R= AM +structures and only process the local copy. This prevents +time-of-check-to-time-of-use (TOCTOU) race conditions that could cause QEM= U to +crash when a vCPU thread modifies guest RAM while device emulation is +processing it. --=20 2.21.0 From nobody Sun Apr 28 17:27:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1557404440; cv=none; d=zoho.com; s=zohoarc; b=h74iOR4oRukhoYk8xXZtE5PZOsxXlNI4hd+nQjOYGqPI0ftRf8JR3ftXQ4iML7I8uCLdip/OsdiCjtyfGEXHAkNMcMCRRaR0jdrONKdcP6Z6ELyXzW3XMXwYx3eUmUsFOrn7Ab3OCMxQoqnylITRFp9VkKxgtnX+2nCCFjtmEzc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1557404440; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=F1LALswyhwCSe2urxtLDeJjSyA/qor8Tu1VTj7fHyq8=; b=WAWM96PrudfI3YaGtPZxCJmY/JV1+UkbUTUh5v8iKT5EM0E2n7dfVlYIER43W9n11LwFiiI5gWzX98pJ9eAYjvZ2uKEKbvXTEymjXFyo197heVmc8/61amPQMjxa+DS/T78HL3f6NjuHM171szf8tPCi4pzfI3EDVrZkq0GTs9I= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1557404440355222.95915112142188; Thu, 9 May 2019 05:20:40 -0700 (PDT) Received: from localhost ([127.0.0.1]:53560 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hOi2N-0000A0-Mc for importer@patchew.org; Thu, 09 May 2019 08:20:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:34186) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hOi0Z-0007hZ-Vi for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hOi0Y-0004oJ-8H for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:43 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54240) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hOi0Y-0004no-0G for qemu-devel@nongnu.org; Thu, 09 May 2019 08:18:42 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4F743307EAA7; Thu, 9 May 2019 12:18:41 +0000 (UTC) Received: from localhost (ovpn-117-236.ams2.redhat.com [10.36.117.236]) by smtp.corp.redhat.com (Postfix) with ESMTP id 77D605B684; Thu, 9 May 2019 12:18:34 +0000 (UTC) From: Stefan Hajnoczi To: qemu-devel@nongnu.org Date: Thu, 9 May 2019 13:18:20 +0100 Message-Id: <20190509121820.16294-3-stefanha@redhat.com> In-Reply-To: <20190509121820.16294-1-stefanha@redhat.com> References: <20190509121820.16294-1-stefanha@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Thu, 09 May 2019 12:18:41 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v3 2/2] docs: add Security chapter to the documentation X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Stefan Hajnoczi , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Stefano Garzarella Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" This new chapter in the QEMU documentation covers the security requirements that QEMU is designed to meet and principles for securely deploying QEMU. It is just a starting point that can be extended in the future with more information. Signed-off-by: Stefan Hajnoczi Acked-by: Stefano Garzarella Reviewed-by: Alex Benn=C3=A9e Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Li Qiang --- Makefile | 2 +- docs/security.texi | 131 +++++++++++++++++++++++++++++++++++++++++++++ qemu-doc.texi | 3 ++ 3 files changed, 135 insertions(+), 1 deletion(-) create mode 100644 docs/security.texi diff --git a/Makefile b/Makefile index d372493042..e2bc9c8c9d 100644 --- a/Makefile +++ b/Makefile @@ -973,7 +973,7 @@ qemu-doc.html qemu-doc.info qemu-doc.pdf qemu-doc.txt: \ qemu-img.texi qemu-nbd.texi qemu-options.texi qemu-option-trace.texi \ qemu-deprecated.texi qemu-monitor.texi qemu-img-cmds.texi qemu-ga.texi \ qemu-monitor-info.texi docs/qemu-block-drivers.texi \ - docs/qemu-cpu-models.texi + docs/qemu-cpu-models.texi docs/security.texi =20 docs/interop/qemu-ga-ref.dvi docs/interop/qemu-ga-ref.html \ docs/interop/qemu-ga-ref.info docs/interop/qemu-ga-ref.pdf \ diff --git a/docs/security.texi b/docs/security.texi new file mode 100644 index 0000000000..927764f1e6 --- /dev/null +++ b/docs/security.texi @@ -0,0 +1,131 @@ +@node Security +@chapter Security + +@section Overview + +This chapter explains the security requirements that QEMU is designed to m= eet +and principles for securely deploying QEMU. + +@section Security Requirements + +QEMU supports many different use cases, some of which have stricter securi= ty +requirements than others. The community has agreed on the overall security +requirements that users may depend on. These requirements define what is +considered supported from a security perspective. + +@subsection Virtualization Use Case + +The virtualization use case covers cloud and virtual private server (VPS) +hosting, as well as traditional data center and desktop virtualization. T= hese +use cases rely on hardware virtualization extensions to execute guest code +safely on the physical CPU at close-to-native speed. + +The following entities are untrusted, meaning that they may be buggy or +malicious: + +@itemize +@item Guest +@item User-facing interfaces (e.g. VNC, SPICE, WebSocket) +@item Network protocols (e.g. NBD, live migration) +@item User-supplied files (e.g. disk images, kernels, device trees) +@item Passthrough devices (e.g. PCI, USB) +@end itemize + +Bugs affecting these entities are evaluated on whether they can cause dama= ge in +real-world use cases and treated as security bugs if this is the case. + +@subsection Non-virtualization Use Case + +The non-virtualization use case covers emulation using the Tiny Code Gener= ator +(TCG). In principle the TCG and device emulation code used in conjunction= with +the non-virtualization use case should meet the same security requirements= as +the virtualization use case. However, for historical reasons much of the +non-virtualization use case code was not written with these security +requirements in mind. + +Bugs affecting the non-virtualization use case are not considered security +bugs at this time. Users with non-virtualization use cases must not rely = on +QEMU to provide guest isolation or any security guarantees. + +@section Architecture + +This section describes the design principles that ensure the security +requirements are met. + +@subsection Guest Isolation + +Guest isolation is the confinement of guest code to the virtual machine. = When +guest code gains control of execution on the host this is called escaping = the +virtual machine. Isolation also includes resource limits such as throttli= ng of +CPU, memory, disk, or network. Guests must be unable to exceed their reso= urce +limits. + +QEMU presents an attack surface to the guest in the form of emulated devic= es. +The guest must not be able to gain control of QEMU. Bugs in emulated devi= ces +could allow malicious guests to gain code execution in QEMU. At this poin= t the +guest has escaped the virtual machine and is able to act in the context of= the +QEMU process on the host. + +Guests often interact with other guests and share resources with them. A +malicious guest must not gain control of other guests or access their data. +Disk image files and network traffic must be protected from other guests u= nless +explicitly shared between them by the user. + +@subsection Principle of Least Privilege + +The principle of least privilege states that each component only has acces= s to +the privileges necessary for its function. In the case of QEMU this means= that +each process only has access to resources belonging to the guest. + +The QEMU process should not have access to any resources that are inaccess= ible +to the guest. This way the guest does not gain anything by escaping into = the +QEMU process since it already has access to those same resources from with= in +the guest. + +Following the principle of least privilege immediately fulfills guest isol= ation +requirements. For example, guest A only has access to its own disk image = file +@code{a.img} and not guest B's disk image file @code{b.img}. + +In reality certain resources are inaccessible to the guest but must be +available to QEMU to perform its function. For example, host system calls= are +necessary for QEMU but are not exposed to guests. A guest that escapes in= to +the QEMU process can then begin invoking host system calls. + +New features must be designed to follow the principle of least privilege. +Should this not be possible for technical reasons, the security risk must = be +clearly documented so users are aware of the trade-off of enabling the fea= ture. + +@subsection Isolation mechanisms + +Several isolation mechanisms are available to realize this architecture of +guest isolation and the principle of least privilege. With the exception = of +Linux seccomp, these mechanisms are all deployed by management tools that +launch QEMU, such as libvirt. They are also platform-specific so they are= only +described briefly for Linux here. + +The fundamental isolation mechanism is that QEMU processes must run as +unprivileged users. Sometimes it seems more convenient to launch QEMU as +root to give it access to host devices (e.g. @code{/dev/net/tun}) but this= poses a +huge security risk. File descriptor passing can be used to give an otherw= ise +unprivileged QEMU process access to host devices without running QEMU as r= oot. +It is also possible to launch QEMU as a non-root user and configure UNIX g= roups +for access to @code{/dev/kvm}, @code{/dev/net/tun}, and other device nodes. +Some Linux distros already ship with UNIX groups for these devices by defa= ult. + +@itemize +@item SELinux and AppArmor make it possible to confine processes beyond the +traditional UNIX process and file permissions model. They restrict the QE= MU +process from accessing processes and files on the host system that are not +needed by QEMU. + +@item Resource limits and cgroup controllers provide throughput and utiliz= ation +limits on key resources such as CPU time, memory, and I/O bandwidth. + +@item Linux namespaces can be used to make process, file system, and other= system +resources unavailable to QEMU. A namespaced QEMU process is restricted to= only +those resources that were granted to it. + +@item Linux seccomp is available via the QEMU @option{--sandbox} option. = It disables +system calls that are not needed by QEMU, thereby reducing the host kernel +attack surface. +@end itemize diff --git a/qemu-doc.texi b/qemu-doc.texi index ae3c3f9632..577d1e8376 100644 --- a/qemu-doc.texi +++ b/qemu-doc.texi @@ -38,6 +38,7 @@ * QEMU Guest Agent:: * QEMU User space emulator:: * System requirements:: +* Security:: * Implementation notes:: * Deprecated features:: * Supported build platforms:: @@ -2878,6 +2879,8 @@ added with Linux 4.5 which is supported by the major = distros. And even if RHEL7 has kernel 3.10, KVM there has the required functionality there to make it close to a 4.5 or newer kernel. =20 +@include docs/security.texi + @include qemu-tech.texi =20 @include qemu-deprecated.texi --=20 2.21.0