Brussels / 30 & 31 January 2016


QEMU for Xen secure by default

Deprivileging the PC system emulator

Xen on x86 platforms offers two kinds of virtual machines: PV and HVM. PV is the oldest kind of guest, doesn't need any emulation, but requires extensive modifications to the guest operating system kernel. HVM is a newer kind of guest, which exploits hardware virtualization extensions, and offers an emulated PC-like environment. Linux typically runs on Xen as a PV guest but can also run as an HVM guest very efficiently. Windows runs as an HVM guest only.

QEMU is a critical component in Xen deployments because is in charge of emulating most devices for HVM guests, including IDE disks and PCI network cards. In fact in the Xen community QEMU is often called the "device model". QEMU's emulated interfaces are conveniently available for the guest to use. At the same time of course they are also exposed to malicious guests, which are inevitably going to try to find vulnerabilities in those interfaces, to take control over the system.

Therefore securing QEMU is critical. QEMU should be protected from guest attacks, not just in best case scenarios, where deployments use advanced and complex security hardening techniques, such as stubdoms or SELinux, but in all cases, for all users.

This presentation will show the defense in depth mechanisms which the Xen Project is putting in place to secure the execution of QEMU in Dom0 by default. The talk will explain the reasons behind the design choices and how they compare against other hypervisors and other deployment scenarios. Users will learn the trade-offs of the different solutions and will learn how to discern secure from insecure configurations.


Stefano Stabellini
Ian Jackson