As a key foundation of cloud computing, virtualization technology plays an increasingly significant role, while cloud platforms are also widely and rapidly developing. However, in recent years, we’ve seen an increase in high-risk vulnerabilities in virtualization systems, which could cause some significant challenges to cloud security implementations.
This talk will introduce Qihoo 360’s Virtualized Security Research Team’s fuzzing framework for virtualization systems and a comprehensive look into the process of 0day vulnerability discovery.
By using this fuzzing framework we have found 9 0day vulnerabilities in QEMU and 2 0day vulnerabilities in VMware workstation in only 3 months. All these vulnerabilities would help hackers escape from virtual machine and execute arbitrary code.
The CVE IDs which have been discovered using this fuzzing framework are as follows:
CVE-2015-7504
CVE-2015-8345
CVE-2015-5279
CVE-2015-6855
CVE-2015-5225
CVE-2015-6815
CVE-2015-7549