1e9d95d01SStefan Hajnoczi======================= 2e9d95d01SStefan HajnocziSecure Coding Practices 3e9d95d01SStefan Hajnoczi======================= 4e9d95d01SStefan HajnocziThis document covers topics that both developers and security researchers must 5e9d95d01SStefan Hajnoczibe aware of so that they can develop safe code and audit existing code 6e9d95d01SStefan Hajnocziproperly. 7e9d95d01SStefan Hajnoczi 8e9d95d01SStefan HajnocziReporting Security Bugs 9e9d95d01SStefan Hajnoczi----------------------- 10e9d95d01SStefan HajnocziFor details on how to report security bugs or ask questions about potential 11e9d95d01SStefan Hajnoczisecurity bugs, see the `Security Process wiki page 12e9d95d01SStefan Hajnoczi<https://wiki.qemu.org/SecurityProcess>`_. 13e9d95d01SStefan Hajnoczi 14e9d95d01SStefan HajnocziGeneral Secure C Coding Practices 15e9d95d01SStefan Hajnoczi--------------------------------- 16e9d95d01SStefan HajnocziMost CVEs (security bugs) reported against QEMU are not specific to 17e9d95d01SStefan Hajnoczivirtualization or emulation. They are simply C programming bugs. Therefore 18e9d95d01SStefan Hajnocziit's critical to be aware of common classes of security bugs. 19e9d95d01SStefan Hajnoczi 20e9d95d01SStefan HajnocziThere is a wide selection of resources available covering secure C coding. For 21e9d95d01SStefan Hajnocziexample, the `CERT C Coding Standard 22e9d95d01SStefan Hajnoczi<https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard>`_ 23e9d95d01SStefan Hajnoczicovers the most important classes of security bugs. 24e9d95d01SStefan Hajnoczi 25e9d95d01SStefan HajnocziInstead of describing them in detail here, only the names of the most important 26e9d95d01SStefan Hajnocziclasses of security bugs are mentioned: 27e9d95d01SStefan Hajnoczi 28e9d95d01SStefan Hajnoczi* Buffer overflows 29e9d95d01SStefan Hajnoczi* Use-after-free and double-free 30e9d95d01SStefan Hajnoczi* Integer overflows 31e9d95d01SStefan Hajnoczi* Format string vulnerabilities 32e9d95d01SStefan Hajnoczi 33e9d95d01SStefan HajnocziSome of these classes of bugs can be detected by analyzers. Static analysis is 34e9d95d01SStefan Hajnocziperformed regularly by Coverity and the most obvious of these bugs are even 35e9d95d01SStefan Hajnoczireported by compilers. Dynamic analysis is possible with valgrind, tsan, and 36e9d95d01SStefan Hajnocziasan. 37e9d95d01SStefan Hajnoczi 38e9d95d01SStefan HajnocziInput Validation 39e9d95d01SStefan Hajnoczi---------------- 40e9d95d01SStefan HajnocziInputs from the guest or external sources (e.g. network, files) cannot be 41e9d95d01SStefan Hajnoczitrusted and may be invalid. Inputs must be checked before using them in a way 42e9d95d01SStefan Hajnoczithat could crash the program, expose host memory to the guest, or otherwise be 43e9d95d01SStefan Hajnocziexploitable by an attacker. 44e9d95d01SStefan Hajnoczi 45e9d95d01SStefan HajnocziThe most sensitive attack surface is device emulation. All hardware register 46e9d95d01SStefan Hajnocziaccesses and data read from guest memory must be validated. A typical example 47e9d95d01SStefan Hajnocziis a device that contains multiple units that are selectable by the guest via 48e9d95d01SStefan Hajnoczian index register:: 49e9d95d01SStefan Hajnoczi 50e9d95d01SStefan Hajnoczi typedef struct { 51e9d95d01SStefan Hajnoczi ProcessingUnit unit[2]; 52e9d95d01SStefan Hajnoczi ... 53e9d95d01SStefan Hajnoczi } MyDeviceState; 54e9d95d01SStefan Hajnoczi 55e9d95d01SStefan Hajnoczi static void mydev_writel(void *opaque, uint32_t addr, uint32_t val) 56e9d95d01SStefan Hajnoczi { 57e9d95d01SStefan Hajnoczi MyDeviceState *mydev = opaque; 58e9d95d01SStefan Hajnoczi ProcessingUnit *unit; 59e9d95d01SStefan Hajnoczi 60e9d95d01SStefan Hajnoczi switch (addr) { 61e9d95d01SStefan Hajnoczi case MYDEV_SELECT_UNIT: 62e9d95d01SStefan Hajnoczi unit = &mydev->unit[val]; <-- this input wasn't validated! 63e9d95d01SStefan Hajnoczi ... 64e9d95d01SStefan Hajnoczi } 65e9d95d01SStefan Hajnoczi } 66e9d95d01SStefan Hajnoczi 67e9d95d01SStefan HajnocziIf ``val`` is not in range [0, 1] then an out-of-bounds memory access will take 68e9d95d01SStefan Hajnocziplace when ``unit`` is dereferenced. The code must check that ``val`` is 0 or 69e9d95d01SStefan Hajnoczi1 and handle the case where it is invalid. 70e9d95d01SStefan Hajnoczi 71e9d95d01SStefan HajnocziUnexpected Device Accesses 72e9d95d01SStefan Hajnoczi-------------------------- 73e9d95d01SStefan HajnocziThe guest may access device registers in unusual orders or at unexpected 74e9d95d01SStefan Hajnoczimoments. Device emulation code must not assume that the guest follows the 75e9d95d01SStefan Hajnoczitypical "theory of operation" presented in driver writer manuals. The guest 76e9d95d01SStefan Hajnoczimay make nonsense accesses to device registers such as starting operations 77e9d95d01SStefan Hajnoczibefore the device has been fully initialized. 78e9d95d01SStefan Hajnoczi 79e9d95d01SStefan HajnocziA related issue is that device emulation code must be prepared for unexpected 80e9d95d01SStefan Hajnoczidevice register accesses while asynchronous operations are in progress. A 81e9d95d01SStefan Hajnocziwell-behaved guest might wait for a completion interrupt before accessing 82e9d95d01SStefan Hajnoczicertain device registers. Device emulation code must handle the case where the 83e9d95d01SStefan Hajnocziguest overwrites registers or submits further requests before an ongoing 84e9d95d01SStefan Hajnoczirequest completes. Unexpected accesses must not cause memory corruption or 85e9d95d01SStefan Hajnoczileaks in QEMU. 86e9d95d01SStefan Hajnoczi 87e9d95d01SStefan HajnocziInvalid device register accesses can be reported with 88e9d95d01SStefan Hajnoczi``qemu_log_mask(LOG_GUEST_ERROR, ...)``. The ``-d guest_errors`` command-line 89e9d95d01SStefan Hajnoczioption enables these log messages. 90e9d95d01SStefan Hajnoczi 91e9d95d01SStefan HajnocziLive Migration 92e9d95d01SStefan Hajnoczi-------------- 93e9d95d01SStefan HajnocziDevice state can be saved to disk image files and shared with other users. 94e9d95d01SStefan HajnocziLive migration code must validate inputs when loading device state so an 95e9d95d01SStefan Hajnocziattacker cannot gain control by crafting invalid device states. Device state 96e9d95d01SStefan Hajnocziis therefore considered untrusted even though it is typically generated by QEMU 97e9d95d01SStefan Hajnocziitself. 98e9d95d01SStefan Hajnoczi 99e9d95d01SStefan HajnocziGuest Memory Access Races 100e9d95d01SStefan Hajnoczi------------------------- 101e9d95d01SStefan HajnocziGuests with multiple vCPUs may modify guest RAM while device emulation code is 102e9d95d01SStefan Hajnoczirunning. Device emulation code must copy in descriptors and other guest RAM 103e9d95d01SStefan Hajnoczistructures and only process the local copy. This prevents 104e9d95d01SStefan Hajnoczitime-of-check-to-time-of-use (TOCTOU) race conditions that could cause QEMU to 105e9d95d01SStefan Hajnoczicrash when a vCPU thread modifies guest RAM while device emulation is 106e9d95d01SStefan Hajnocziprocessing it. 107*b317006aSPhilippe Mathieu-Daudé 108*b317006aSPhilippe Mathieu-DaudéUse of null-co block drivers 109*b317006aSPhilippe Mathieu-Daudé---------------------------- 110*b317006aSPhilippe Mathieu-Daudé 111*b317006aSPhilippe Mathieu-DaudéThe ``null-co`` block driver is designed for performance: its read accesses are 112*b317006aSPhilippe Mathieu-Daudénot initialized by default. In case this driver has to be used for security 113*b317006aSPhilippe Mathieu-Daudéresearch, it must be used with the ``read-zeroes=on`` option which fills read 114*b317006aSPhilippe Mathieu-Daudébuffers with zeroes. Security issues reported with the default 115*b317006aSPhilippe Mathieu-Daudé(``read-zeroes=off``) will be discarded. 116