Hacker Neue

Preferences
j_s parent
Thanks for the tip! Too late to edit, bummer. [Edit:If you're right I] would have switched it to: "not for the faint of heart!"

My understanding was from Qubes choosing Xen and also AWS (they both deal with Xen advisories instead). The Qubes Architecture Specification goes into detail starting on page 11: https://www.qubes-os.org/attachment/wiki/QubesArchitecture/a...

KVM uses the open source qemu emulator for [I/O emulattion]. [...] The I/O emulator is a complex piece of software, and thus it is reasonable to assume that it contains bugs and that it can be exploited by the attacker. In fact both Xen and KVM assume that the I/O emulator can be compromised and they both try to protect the rest of the system from a potentially compromised I/O emulator.

Also pointed out elsewhere on thread: Google skipping QEMU.

Edit: I am digging into it more, but I don't see KVM+QEMU on any top-tier provider (GCE, AWS, Azure [Hyper-V-ish])? My understanding was the only time QEMU was required was to emulate processor architectures, eg. x86 on ARM or vice-versa. QEMU is also used by some reverse-engineering/anti-malware emulation stuff.

bonzini
In China KVM is probably more common than Xen; Aliyun and Tencent use it, and Huawei is transitioning from Xen to KVM (with QEMU). KVM is probably more common among whoever uses OpenStack.

Xen also requires a hardware emulator to run HVM guests (including, but not limited to, Windows VMs). I don't know about now, but it definitely used to be QEMU for AWS.

QEMU can do emulation, but with KVM you use the hypervisor to run code at full speed until it has to interact with the emulated hardware.

Oldhand2017
Aliyun and Tencent use Xen, too. They are both on Xen's pre-disclosure list. I don't know it now, but Aliyun was at least Xen-only at one point. Huawei offers products both with KVM and Xen. This doesn't necessarily invalidate your speculation though.

The OpenStack aspect is true. Xen lacks support there.

A new Xen guest mode called PVH will remove QEMU when running Linux -- it is basically HVM without QEMU. Windows still requires QEMU.

j_s OP
Thanks for the follow-up! I'll settle for "no tier-1 US provider publicly admits to using QEMU". :)

I didn't dig too far into the AWS vulnerability list to try to find QEMU; XEN shows up right away! Ok: QEMU is last mentioned July 2015, and in none of the mentions is AWS vulnerable.

https://www.google.com/?q=site:https://aws.amazon.com/securi...

bonzini
> and in none of the mentions is AWS vulnerable.

Yep, that's because most bugs are found in legacy devices that are never found in production. The big exception was a buffer overflow in the floppy device emulation (the "VENOM" vulnerability).

A lot of AWS security bulletins say "AWS customers' data and instances are not affected by these issues". I read it as "we knew about it a couple weeks in advance and have done a rolling upgrade". :)

This item has no comments currently.