The simulator runs as a user application with standard privileges and is secure
at its core. However, it has some features that present potential
vulnerabilities which are good to be aware of before enabling them. None of them
are enabled by default.
- Access to the command line (CLI) provides access to arbitrary shell commands
on the simulation host (as the user running the simulator). Hence usage of
telnet-frontend potentially opens up shell access to the simulation host
to anyone with network access to it.
- Similarly, access to the simulated target system may potentially be used to
obtain access to the host (as the user running the simulator). The features
which provide communication between target and the simulator, and which
therefore could introduce this type of risk, are SimicsFS, Simics
Agent, the host serial connections in the host-serial-console and
textcon modules, and the debugging functionality in tcf-agent. In
general, bugs in simulation modules can lead to crashes or similar that
result in access to the simulation host.
- Some features may provide access to the simulated target system to users who
have network access to the simulation host. By the previous point, this may
be exploited to access the simulation host. These features are the VNC server
in the graphcon module, the telnet servers in the telnet-console and
textcon modules, the gdb-remote module, distributed simulation and
all types of real network connections using the real-network module.
- The connection modules mentioned above can be configured to use restrictive
connection types, domain sockets on Linux and named pipes on Windows, that do
not make the simulation host accessible over the network.
- Real network connections in particular should be used with care, as they also
allow the target system to initiate connections to the network that the
simulation host is connected to. This can potentially expose information
about the target. Moreover, the Ethernet bridging type of real network
connection makes it possible for users of the simulator, as well as software
at the simulated target machine, to access raw Ethernet frames on the local
network of the host. In particular, do not use the network services of the
simulator (the service-node) when bridging networks, as this exposes
those services to the host network, which is both a security concern and can
also lead to conflicts with other similar services on the network. Also,
Ethernet bridging uses TAP which requires administrator privileges to setup,
an additional risk.
- It is recommended to only use any of the features mentioned above when the
simulation host is on a secure network.
- VMP is a kernel module that must be installed with administrator
privileges and that runs in supervisor mode. Hence, bugs in processor models
can potentially crash the host when running in VMP mode.
Add-on packages often include software intended to run in the simulated target
systems. This software is supplied for demonstration and training purposes only,
and is not intended to be used as part of production setups.