by Qiang Li + ZhiBin Hu + Mei Wang, Qihoo 360
QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen. As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device. These makes QEMU very complex and exposes a lot of attack surfaces. In this year, I did a deep vulnerability discovery in QEMU and discovered 60+ vulnerabilities and got 50+ CVE now. I have summarized kinds of the attack surface and vulnerability types in QEMU.
In this presentation, I will talk about the attack surfaces of QEMU and how to discover vulnerabilities in these attack surface. As I discovered these vulnerabilities by auditing, I will also discuss the pros and cons of auditing and fuzzing which is very popular these days. I will compare the efficiency between auditing and fuzzing. By provide some tricks in auditing I will illustrate the source auditing is still a powerful weapon in vulnerability discovery. Then, I will talk about the various vulnerability types and cases in QEMU for these attack surfaces. Finally I will give a summary of the vulnerabilities I have found.