Adding upstream version 1:10.0.2+ds.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
This commit is contained in:
parent
bf2768bd0f
commit
ea34ddeea6
GPG key ID:
BCC918A2ABD66424
37998 changed files with 9510514 additions and 0 deletions
115
docs/devel/secure-coding-practices.rst
Normal file
115
docs/devel/secure-coding-practices.rst
Normal file
|
|
@ -0,0 +1,115 @@
|
|||
=======================
|
||||
Secure Coding Practices
|
||||
=======================
|
||||
This document covers topics that both developers and security researchers must
|
||||
be aware of so that they can develop safe code and audit existing code
|
||||
properly.
|
||||
|
||||
Reporting Security Bugs
|
||||
-----------------------
|
||||
For details on how to report security bugs or ask questions about potential
|
||||
security bugs, see the `Security Process wiki page
|
||||
<https://wiki.qemu.org/SecurityProcess>`_.
|
||||
|
||||
General Secure C Coding Practices
|
||||
---------------------------------
|
||||
Most CVEs (security bugs) reported against QEMU are not specific to
|
||||
virtualization or emulation. They are simply C programming bugs. Therefore
|
||||
it's critical to be aware of common classes of security bugs.
|
||||
|
||||
There is a wide selection of resources available covering secure C coding. For
|
||||
example, the `CERT C Coding Standard
|
||||
<https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard>`_
|
||||
covers the most important classes of security bugs.
|
||||
|
||||
Instead of describing them in detail here, only the names of the most important
|
||||
classes of security bugs are mentioned:
|
||||
|
||||
* Buffer overflows
|
||||
* Use-after-free and double-free
|
||||
* Integer overflows
|
||||
* Format string vulnerabilities
|
||||
|
||||
Some of these classes of bugs can be detected by analyzers. Static analysis is
|
||||
performed regularly by Coverity and the most obvious of these bugs are even
|
||||
reported by compilers. Dynamic analysis is possible with valgrind, tsan, and
|
||||
asan.
|
||||
|
||||
Input Validation
|
||||
----------------
|
||||
Inputs from the guest or external sources (e.g. network, files) cannot be
|
||||
trusted and may be invalid. Inputs must be checked before using them in a way
|
||||
that could crash the program, expose host memory to the guest, or otherwise be
|
||||
exploitable by an attacker.
|
||||
|
||||
The most sensitive attack surface is device emulation. All hardware register
|
||||
accesses and data read from guest memory must be validated. A typical example
|
||||
is a device that contains multiple units that are selectable by the guest via
|
||||
an index register::
|
||||
|
||||
typedef struct {
|
||||
ProcessingUnit unit[2];
|
||||
...
|
||||
} MyDeviceState;
|
||||
|
||||
static void mydev_writel(void *opaque, uint32_t addr, uint32_t val)
|
||||
{
|
||||
MyDeviceState *mydev = opaque;
|
||||
ProcessingUnit *unit;
|
||||
|
||||
switch (addr) {
|
||||
case MYDEV_SELECT_UNIT:
|
||||
unit = &mydev->unit[val]; <-- this input wasn't validated!
|
||||
...
|
||||
}
|
||||
}
|
||||
|
||||
If ``val`` is not in range [0, 1] then an out-of-bounds memory access will take
|
||||
place when ``unit`` is dereferenced. The code must check that ``val`` is 0 or
|
||||
1 and handle the case where it is invalid.
|
||||
|
||||
Unexpected Device Accesses
|
||||
--------------------------
|
||||
The guest may access device registers in unusual orders or at unexpected
|
||||
moments. Device emulation code must not assume that the guest follows the
|
||||
typical "theory of operation" presented in driver writer manuals. The guest
|
||||
may make nonsense accesses to device registers such as starting operations
|
||||
before the device has been fully initialized.
|
||||
|
||||
A related issue is that device emulation code must be prepared for unexpected
|
||||
device register accesses while asynchronous operations are in progress. A
|
||||
well-behaved guest might wait for a completion interrupt before accessing
|
||||
certain device registers. Device emulation code must handle the case where the
|
||||
guest overwrites registers or submits further requests before an ongoing
|
||||
request completes. Unexpected accesses must not cause memory corruption or
|
||||
leaks in QEMU.
|
||||
|
||||
Invalid device register accesses can be reported with
|
||||
``qemu_log_mask(LOG_GUEST_ERROR, ...)``. The ``-d guest_errors`` command-line
|
||||
option enables these log messages.
|
||||
|
||||
Live Migration
|
||||
--------------
|
||||
Device state can be saved to disk image files and shared with other users.
|
||||
Live migration code must validate inputs when loading device state so an
|
||||
attacker cannot gain control by crafting invalid device states. Device state
|
||||
is therefore considered untrusted even though it is typically generated by QEMU
|
||||
itself.
|
||||
|
||||
Guest Memory Access Races
|
||||
-------------------------
|
||||
Guests with multiple vCPUs may modify guest RAM while device emulation code is
|
||||
running. Device emulation code must copy in descriptors and other guest RAM
|
||||
structures and only process the local copy. This prevents
|
||||
time-of-check-to-time-of-use (TOCTOU) race conditions that could cause QEMU to
|
||||
crash when a vCPU thread modifies guest RAM while device emulation is
|
||||
processing it.
|
||||
|
||||
Use of null-co block drivers
|
||||
----------------------------
|
||||
|
||||
The ``null-co`` block driver is designed for performance: its read accesses are
|
||||
not initialized by default. In case this driver has to be used for security
|
||||
research, it must be used with the ``read-zeroes=on`` option which fills read
|
||||
buffers with zeroes. Security issues reported with the default
|
||||
(``read-zeroes=off``) will be discarded.
|
||||
Loading…
Add table
Add a link
Reference in a new issue