The simulator runs as a user application with standard privileges and is secure at its core. However, it has some features that present potential vulnerabilities which are good to be aware of before enabling them. None of them are enabled by default.
- Access to the command line (CLI) provides access to arbitrary shell commands on the simulation host (as the user running the simulator). Hence usage of telnet-frontend potentially opens up shell access to the simulation host to anyone with network access to it.
- Similarly, access to the simulated target system may potentially be used to obtain access to the host (as the user running the simulator). The features which provide communication between target and the simulator, and which therefore could introduce this type of risk, are SimicsFS, Simics Agent, the host serial connections in the host-serial-console and textcon modules, and the debugging functionality in tcf-agent. In general, bugs in simulation modules can lead to crashes or similar that results in access to the simulation host.
- Some features may provide access to the simulated target system to users who have network access to the simulation host. By the previous point, this may be exploited to access the simulation host. These features are the VNC server in the graphcon module, the telnet servers in the telnet-console and textcon modules, the gdb-remote module, distributed simulation and all types of real network connections using the real-network module.
- The connection modules mentioned above can be configured to use restrictive connection types, domain sockets on Linux and named pipes on Windows, that do not make the simulation host accessible over the network.
- Real network connections in particular should be used with care, as they also allow the target system to initiate connections to the network that the simulation host is connected to. This can potentially expose information about the target. Moreover, the Ethernet bridging type of real network connection makes it possible for users of the simulator, as well as software at the simulated target machine, to access raw Ethernet frames on the local network of the host. In particular, do not use the network services of the simulator (the service-node) when bridging networks, as this exposes those services to the host network, which is both a security concern and can also lead to conflicts with other similar services on the network. Also, Ethernet bridging uses TAP which requires administrator privileges to setup, an additional risk.
- It is recommended to only use any of the features mentioned above when the simulation host is on a secure network.
- VMP is a kernel module that must be installed with administrator privileges and that runs in supervisor mode. Hence, bugs in processor models can potentially crash the host when running in VMP mode.
Add-on packages often include software intended to run in the simulated target systems. This software is supplied for demonstration and training purposes only, and is not intended to be used as part of production setups.