[Spice-devel] SPICE and guest breakout risk assessment
adrelanos
adrelanos at riseup.net
Thu Jan 2 11:25:54 PST 2014
Alon Levy:
> On 12/30/2013 08:44 AM, adrelanos wrote:
>> Hi,
>>
>> I am currently working on testing out KVM as a platform for Whonix, a
>> Debian based spin with anonymity enforcement via usage of virtual
>> machines. All traffic from a workstation vm is forced through a Tor
>> gateway on the second gateway vm. Safeguarding against high level
>> attacks (0days and advanced persistent threats) is our top priority and
>> so right now we are hammering out the details of what virtual hardware
>> should be attached into the vms.
>>
>> In your opinion is enabling SPICE and 2D acceleration via QXL+vdagent in
>> the guest, a security risk to the host? Consider this question in a
>> scenario where the host is a RedHat derivative that has SElinux and
>> secomp enabled for QEMU. We want to find out whether this is a case of
>> security vs convenience.
>
> Enabling spice adds more code running on the host in the same context as
> the qemu process (libspice-server is linked to qemu), so I'd say yes
> (not sure what risk is acceptable, or what risk means exactly, but it is
> a risk in the english sense :).
>
>>
>> Thanks for you time.
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>
>
>
Hi Alon,
Thank you for your input. By risk I mean malicious guest-side that has
succeeded in rooting the OS in the VM and then attempts sending
malformed requests to the Host GPU stack to break out. Something like
the infamous Cloudburst exploit that abused VMWare's 3D acceleration
interfaces, but for 2D rendering functionality in this situation. I
wanted to know if SPICE server is hardened against bad behaving guests
in this manner.
>Enabling spice adds more code running on the host in the same context as
the qemu process (libspice-server is linked to qemu)
So as long as SELinux is applied to the QEMU process - which includes
libspice-server, a high level of guest containment is achieved?
More information about the Spice-devel
mailing list