Advanced Exploitation: Xen Hypervisor VM Escape


The Xen is a widely used virtualization platform powering some of the largest clouds in production today.

For the purpose of cloud platform security reinforcement, our team have looked into the implementation of Xen hypervisor and found a series of  highly critical vulnerabilities that could be used to exploit the host machine. For example, the XSA-148/CVE-2015-7825, a 7 year old bug disclosed by our team two months ago, is one of the worst vulnerabilities ever hit to the Xen Project.

This presentation will center around the Xen hypervisor and exploitation technologies and covers the following topics:

1. The story of the awesome XSA-148/CVE-2015-7825 Xen vulnerability.

2. Xen Hypervisor internals – In this section, we will dive deep into the hypervisor and talk about a mass of runtime details which have not been previously disclosed.

3. Exploitation vectors in Xen environment – After exploring the Xen implemention, we will look into the various Xen exploitation vectors and how to bypass Xen security machanisms

4. VM Escape and Dom0/DomN r00t shell in reality – At last, we will expand on the XSA-148 exploitation technique and show root shells of the host machine and other guest virtual machines. XSA-148 exploitation is a well-chosen generic exploitation method and could be directly used in any other vulnerabilities like XSA-148 to perform VM escape.

With the exception of  the XSA-148 vulnerability itself, all other contents have never been published before. These details could help researchers start their virtualization security research work and also help cloud services providers enhance their products’ security or detect VM escape attacks.

Location: Track 2 Date: May 27, 2016 Time: 3:00 pm - 4:00 pm Shangcong Luan