From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [Qemu-devel] KVM call for 2017-03-14
Date: Tue, 14 Mar 2017 11:44:39 +0100
Message-ID: <db6cb6b2-d618-b158-9ac8-955375093b9b@redhat.com>
References: <87tw6y8bs8.fsf@secure.mitica>
 <CAFEAcA978SJemCfYJPa8jwtuhhi6JGh9pEDGYNJ1npJA3nvEQA@mail.gmail.com>
 <20170314081312.GB13140@stefanha-x1.localdomain>
 <CAFEAcA-Qb2fp1kvksE4gBc+-1s29swwqTApFTcaMXnTO7aWDcg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: Juan Quintela <quintela@redhat.com>,
        QEMU Developer <qemu-devel@nongnu.org>,
        KVM devel mailing list <kvm@vger.kernel.org>
To: Peter Maydell <peter.maydell@linaro.org>,
        Stefan Hajnoczi <stefanha@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-lf0-f66.google.com ([209.85.215.66]:35547 "EHLO
        mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750749AbdCNKon (ORCPT <rfc822;kvm@vger.kernel.org>);
        Tue, 14 Mar 2017 06:44:43 -0400
Received: by mail-lf0-f66.google.com with SMTP id v2so13802407lfi.2
        for <kvm@vger.kernel.org>; Tue, 14 Mar 2017 03:44:42 -0700 (PDT)
In-Reply-To: <CAFEAcA-Qb2fp1kvksE4gBc+-1s29swwqTApFTcaMXnTO7aWDcg@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>



On 14/03/2017 11:39, Peter Maydell wrote:
>> 3. Is it safer than C even when writing code to operate on guest RAM
>>    (i.e. it's no good if you must use unsafe primitives to do the
>>    systems programming tasks that QEMU requires)?
> My impression is that many of our security vulnerabilities are
> overflows in local arrays in the device emulation (for instance
> good old VENOM), so I think that even if a candidate safer
> language only provided bounds-checking on arrays it knew about
> and not on raw guest RAM it would still be a significant
> improvement. (Accesses to guest RAM are often via APIs that
> we could add bounds-checks to "by hand" anyway.) 

Right, this was one of the reasons behind the introduction of
MemoryRegionCache: get both speed (like address_space_map) and bounds
checking (like address_space_rw).

It looks like it should be easy to wrap it in any language, be it Rust
or a scripting language like Lua.

Paolo