QEMU is not for Vulnerability Research

Ryan Torvik - March 15, 2023 - 2 minute read

QEMU is a quick emulation platform. It is an open source full-system/user mode emulation platform designed to run target binaries at near native speed. Those binaries can be entirely different operating systems compiled for a completely different architecture than the host computer. Qemu supports entire sets of hardware that are foreign to the user’s operating environment. QEMU is designed to provide the same functionality as a foreign piece of hardware at a comparable speed as that hardware.

Unfortunately, this means that QEMU is not designed for Vulnerability Research.

To do effective Vulnerability Research, you need to actually see what is happening inside a system. To know exactly how data is being copied and modified as it is moved through a system. The design choices that allow QEMU to provide near native speed prevent Vulnerability Researchers from effectively examining a target system.

Engineers can add plugins (in C that conform to the very specific QEMU programming paradigm), but still don’t have access to the internals of the target system. Getting information about registers and internal memory state requires deep knowledge of QEMU internals. Programs like Panda.re have done some of the heavy lifting for you, but have their own issues.

We have spent years and years trying and failing to get accurate introspection into systems running in QEMU and it is just not worth it anymore.

Tulip Tree Technology is developing a green field full-system emulation environment, Emerson, to provide the introspection desperately needed by Vulnerability Researchers. Stay tuned to learn more about Emerson and Tulip Tree Technology’s vision to make vulnerability research more accessible.