Re: KVM: Security Policy

[Stefan Hajnoczi]

On Thu, Aug 27, 2015 at 02:01:52PM +0200, Stefan Geißler wrote:
> Hello kvm mailing list,
> 
> I assume, this is a rather uncommon mailing list post since it is not
> directly related to the usage or development of KVM. Instead, the following
> is the case:
> 
> I am a student of computer science and am currently working on my masters
> thesis. The work in progress topic is "Mining vulnerability databases for
> information on hypervisor vulnerabilities: Analyses and Predictions". In the
> context of this research work i am analyzing various security related
> aspects regarding different hypervisors including KVM (A simple example
> contained in my analysis is the discovery process of security
> vulnerabilities and how the total number of disclosed vulnerabilities
> developes over time).
> 
> The reason i am writing this post to the public mailing list is, that i am
> looking for someone who might be willing to support me during my work with
> (for example) information and/or personal experience. Or simply said: May i
> post questions and ask for help explaining my findings from time to time or
> is this too much off-topic for this mailing list?

It's not off-topic.  I think it's in the interest of the community so
don't be afraid to engage the mailing list with your questions or
feedback on your findings.

> For now the question would be, whether there is some kind of a formal
> documentation of the vulnerability disclosure process or a security policy
> specific for KVM?

The kvm kernel module is part of Linux and there is a process for that:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SecurityBugs?id=HEAD

The QEMU emulator does device emulation in userspace is a separate
project (used by KVM and Xen).  It has its own security process here:
http://qemu-project.org/SecurityProcess

> If someone has any information regarding this, feel free to contact me
> directly through my personal mail address. Any help and information will be
> greatly appreciated!

Let's keep discussion on the mailing list (CC kvm@vger.kernel.org).
That way others can participate and it becomes archived/searchable.

Stefan
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

KVM: Security Policy

[Stefan Geißler]

Hello kvm mailing list,

I assume, this is a rather uncommon mailing list post since it is not 
directly related to the usage or development of KVM. Instead, the 
following is the case:


I am a student of computer science and am currently working on my 
masters thesis. The work in progress topic is Mining vulnerability 
databases for information on hypervisor vulnerabilities: Analyses and 
Predictions. In the context of this research work i am analyzing 
various security related aspects regarding different hypervisors 
including KVM (A simple example contained in my analysis is the 
discovery process of security vulnerabilities and how the total number 
of disclosed vulnerabilities developes over time).


The reason i am writing this post to the public mailing list is, that i 
am looking for someone who might be willing to support me during my work 
with (for example) information and/or personal experience. Or simply 
said: May i post questions and ask for help explaining my findings from 
time to time or is this too much off-topic for this mailing list?


For now the question would be, whether there is some kind of a formal 
documentation of the vulnerability disclosure process or a security 
policy specific for KVM?


If someone has any information regarding this, feel free to contact me 
directly through my personal mail address. Any help and information will 
be greatly appreciated!


If this post is misplaced at this mailing list maybe someone could point 
me at the right place.


Kind regards and thank you in advance,
Stefan Geißler
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html