Developers working on the open source Xen Project say they will continue using the Quick Emulator (QEMU) computer hardware virtualisation component despite a number of severe vulnerabilities recently unconvered, like Venom.
Quick Emulator was originally written by French programmer Fabrice Bellard and is used in hypervisors such as Xen and the Linux Kernel-based Virtual Machine (KVM) to emulate PC hardware such as the motherboard, PCI devices, hard disks and even the Basic Input/Output System (BIOS) firmware that bootstraps and starts computers.
Reviews of the QEMU code have unearthed multiple vulnerabilities such as the Venom virtual floppy disk data buffer and recent network card heap overflows which could lead to full compromise of hosts from virtual machines.
Large Xen hosting providers like Rackspace have been forced to urgently patch against the serious vulnerabilities in QEMU. Despite this, removing QEMU from Xen isn't the right strategy, Olivier Lambert of the Xen Orchestra Project told iTnews.
He defended the authors of QEMU and insisted they have done an amazing job. He said after the widely publicised Venom and Heartbleed flaws, the increased attention meant more and more people were digging in the QEMU code for flaws.
Rather than turning away from the open source product altogether, he said, the way to secure QEMU lies in better community collaboration, with the KVM, Xen and QEMU coders working together.
Work has already started on making QEMU run as a non-privileged, non-root user, which limits the areas of the system the emulator has access to.
"The idea is to run QEMU as a non-privileged user. This way, a flaw in QEMU won't have an dangerous impact on your system," Lambert said.
Finding the security flaws in QEMU has been blessing in disguise, Lambert claimed.
He argued the discoveries made the QEMU, Xen and KVM communities work together more closely, which has led to the creation of better tools and offers the path to enhanced security, Lambert said.