Simics runs as a user application with standard privileges and is
secure at its core. However, it has some features that present potential
vulnerabilities which are good to be aware of before enabling
them. None of them are enabled by default.
-
Access to the Simics command line provides access to arbitrary
shell commands on the simulation host (as the user running
Simics). Hence usage of telnet-frontend potentially opens
up shell access to the simulation host to anyone with network access to it.
-
Similarly, access to the simulated target system may potentially be used to
obtain access to the host (as the user running Simics). The
features which provide communication between target and Simics,
and which therefore could introduce this type of risk,
are SimicsFS, Simics Agent, the host serial
connections in the host-serial-console and textcon
modules, and the debugging functionality in tcf-agent.
In general, bugs in Simics devices can lead
to crashes or similar that results in access to the simulation host.
-
Some features may provide access to the simulated target system to
users who have network access to the simulation host. By the
previous point, this may be exploited to access the simulation
host. These features are the VNC server in the graphcon
module, the telnet servers in the telnet-console
and textcon modules, the gdb-remote module,
distributed simulation and all types of real network connections
using the real-network module.
-
The connection modules mentioned above can be configured to use
restrictive connection types, domain sockets on Linux and named
pipes on Windows, that do not make the simulation host accessible
over the network.
-
Real network connections in particular should be used with care,
as they also allow the target system to initiate connections to
the network that the simulation host is connected to. This can
potentially expose information about the target. Moreover,
the Ethernet bridging type of real network connection makes
it possible for Simics users as well as software at the simulated
target machine to access raw Ethernet frames on the local network
of the host. In particular, do not use the Simics network services
(the service-node) when bridging networks, as this exposes
those services to the host network, which is both a security
concern and can also lead to conflicts with other similar services
on the network. Also, Ethernet bridging uses TAP which requires
administrator privileges to setup, an additional risk.
-
It is recommended to only use any of the features mentioned above
when the simulation host is on a secure network.
-
VMP is a kernel module that must be installed with
administrator privileges and that runs in supervisor mode. Hence,
bugs in Simics processor models can potentially crash the host
when running in VMP mode.
Simics packages often include software intended to run in the
simulated target systems. This software is supplied for demonstration
and training purposes only and is not intended to be used as part of
production setups.