User: Password:
Subscribe / Log in / New account

Xen: finishing the job

Xen: finishing the job

Posted Mar 5, 2009 10:12 UTC (Thu) by dw (subscriber, #12017)
In reply to: Xen: finishing the job by mday_ii
Parent article: Xen: finishing the job

Surely when 'measuring' the security of KVM, one should also take into account the security of Qemu (see for example this paper which is pretty damning).

(Log in to post comments)

Xen: finishing the job

Posted Mar 5, 2009 13:56 UTC (Thu) by mday_ii (✭ supporter ✭, #25315) [Link]

Xen also uses Qemu for device emulation.

Xen: finishing the job

Posted Mar 8, 2009 4:33 UTC (Sun) by landley (guest, #6789) [Link]

You're aware that paper is several years old, right? It doesn't have a clear publication date attached, and you have to read all the way to page 3 to find:

> QEMU 0.8.2 was the latest version available as of this
> writing, which was used in its default configuration.

That was released July 22, 2006. That's about when the 2.6.17 kernel was released. So you're saying "look at all these bugs an old version of the project had". Keeping in mind that the project only _launched_ in 2003, it shouldn't come as a surprise that back when it was only 3 years old it didn't even have working x86-64 support yet (and even x86 had a very restricted and buggy set of hardware it could emulate), so its development community hadn't started paying attention to security auditing device emulations just yet. They were too busy trying to add enough features to make it usable.

I also note that the first place I saw that paper is when it was linked from the qemu development mailing list shortly after it came out, and that's when the developers went "oh, people are trying to use it for honeypots? Ok, we'd better add bounds checking and such then".

The qemu development community has roughly quadrupled in size since then, guesstimating by list traffic and source control commits...

The current qemu is 0.10.0, released March 4th. Among other new features, it integrates kvm support in the base qemu. Just FYI.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds