Wei Xiao , virtualization security researcher, 360 MarvelTeam, Qihoo 360, China Beijing
Wei Xiao is the security researcher of 360 Marvel Team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud computing security . Additionally, he has found a considerable number of virtualization softwares vulnerabilities.
Qinghao Tang, virtualization security researcher, 360 MarvelTeam, Qihoo 360, China Beijing
Qinghao Tang is the team leader of 360 Marvel Team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud computing security and linux kernel security . He was the speaker of Pacsec 2015 , Syscan 2016 and hitb 2016.
[Abstract]
==========
QEMU+KVM and Xen now are both the widely-used system framework in cloud computing filed. Meanwhile, security risks is just like the shadow which always follow these system, bring severe damages. And the most serious security risk among them is controlling host machine by using malicious code inside virtual machine. We call it virtual machine escape attack.
By means of utilizing the “Dark Portal”(CVE-2016-3710) vulnerability found by 360 Marvel Team, we have successfully realized virtual machine escape attack under QEMU+KVM and Xen.
In this topic, we want to share following contents:
- Analysis of memory layout of QEMU process under QEMU+KVM environment and Xen environment.
- Principle of EIP/RIP control directly or indirectly.
- ShellCode placement by using information leakage vulnerability of QEMU.
- How to bypassing DEP and ALSR
- Other useful vulnerability exploitation methods.
- Full demo video and escape code.