Xen Project to stick with QEMU despite vulnerabilities

By

Work on sandboxing hardware emulation kicks off.

Developers working on the open source Xen Project say they will continue using the Quick Emulator (QEMU) computer hardware virtualisation component despite a number of severe vulnerabilities recently unconvered, like Venom.

Xen Project to stick with QEMU despite vulnerabilities

Quick Emulator was originally written by French programmer Fabrice Bellard and is used in hypervisors such as Xen and the Linux Kernel-based Virtual Machine (KVM) to emulate PC hardware such as the motherboard, PCI devices, hard disks and even the Basic Input/Output System (BIOS) firmware that bootstraps and starts computers.

Reviews of the QEMU code have unearthed multiple vulnerabilities such as the Venom virtual floppy disk data buffer and recent network card heap overflows which could lead to full compromise of hosts from virtual machines.

Large Xen hosting providers like Rackspace have been forced to urgently patch against the serious vulnerabilities in QEMU. Despite this, removing QEMU from Xen isn't the right strategy, Olivier Lambert of the Xen Orchestra Project told iTnews.

He defended the authors of QEMU and insisted they have done an amazing job. He said after the widely publicised Venom and Heartbleed flaws, the increased attention meant more and more people were digging in the QEMU code for flaws.

Rather than turning away from the open source product altogether, he said, the way to secure QEMU lies in better community collaboration, with the KVM, Xen and QEMU coders working together.

Work has already started on making QEMU run as a non-privileged, non-root user, which limits the areas of the system the emulator has access to.

"The idea is to run QEMU as a non-privileged user. This way, a flaw in QEMU won't have an dangerous impact on your system," Lambert said.

Finding the security flaws in QEMU has been blessing in disguise, Lambert claimed.

He argued the discoveries made the QEMU, Xen and KVM communities work together more closely, which has led to the creation of better tools and offers the path to enhanced security, Lambert said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hardwareopensourceqemusecuritysoftwarevenomvirtualisationxen

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

Porn industry standardises on HD-DVD

Porn industry standardises on HD-DVD
La Trobe ACAMI supercomputer comes online

La Trobe ACAMI supercomputer comes online
TfNSW extends deal for mobile phone detection cameras

TfNSW extends deal for mobile phone detection cameras
Australian teen leaks pictures of new iPhone parts

Australian teen leaks pictures of new iPhone parts
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?