Hypervisor Security Nightly 2021

Announcing the schedule and short descriptions of Nightly Trainings focused on virtualisation for this year, a new compact weekend-friendly class format that I previously introduced here. This blog will be updated in the future as new topics and dates are added.

Mini-class: Hypervisor Vulnerability Research 101

Date: 26th June 2021 (Saturday), 13:00-17:00 UTC. Level: beginners.

Topics: * The Hypervisor Threat (meta)Model. * Overview of required theoretical knowledge. * First exposure to a popular hypervisor code. (Static analysis) * Hypervisor introspection lab. What can you learn about your hypervisor from within a VM? * Hardware Assist demystified. * Common classes of bugs. * Practical tips.

You will learn: * The "Big Picture" and the "Deep Picture" of hypervisor technologies. * What you need to read and the skills for attacking and securing hypervisors. * How to get started with huge code bases. * How to map some simple hypervisor attack vectors without looking at the code. * How and where you can find some simple bugs in hypervisors as a beginner.

For those thinking about entering the complex area of hypervisor security research, bug hunting for some bounty programs, and maybe compete at Pwn2Own in virtualisation category: this mini-training should clear the decision by exposing you to the "big picture" of what we're dealing with, introducing you to basic practical skills, and getting started with your first hypervisor vulnerability research ideas.

Pre-requisites: C, basic familiarity with OS theory and appsec theory, any desktop hypervisor (for introspection lab).

Mini-class: Deep Dive VMWare ESXi OpenSLP Heap Overflow (CVE-2019-5544)

Date: 19th June 2021 (Saturday), 13:00-17:00 UTC. Level: intermediate.

Topics: * Relevant theoretical background. * Recap of the hypervisor threat model, and where we're at. * Protocol details (OpenSLP). * Vulnerability research workflow: from patch to PoC. * Setting up the environment and testing the bug.

You will learn: * Bug history and technical case studies in the same attack surface across the virtualisation industry. * How to research and analyze security bugs when no writeup is available. * How to create a proof-of-concept based on a security patch (source-code level). * How to build a VMware ESXi research platform.

This bug (originally leveraged in a private competition exploit against VMware ESXi in 2018) was discussed in my "Hypervisor Vulnerability Research" training since its inception. Now it's reported in cyber news to be actively exploited in the wild, and with this mini-training I hope not only to inspire professional vulnerability and malware researchers to dig into the less-popular attack surfaces of a hugely popular corporate hypervisor, but also to let system administrators, incident responders and self-taught computer security enthusiasts (yes, you are invited and I promise to be not too much intimidating) to know their threats at the byte level, and potentially learn to avoid similar attack scenarios early before the bug was weaponized by malicious parties.

Pre-requisites: C, ability to build and use things on Linux, basic familiarity with appsec. Assembly x86 knowledge would be helpful, but not strictly required to get most of the class.

Mini-class: Deep Dive Microsoft Hyper-V Virtual Network Switch

Date: 12th June 2021 (Saturday), 13:00-17:00 UTC. Level: advanced.

Topics: * Relevant theoretical background. * Recap of hypervisor threat models, and where are we. * Setting up the Hyper-V testing and debugging environment. * Review of previously published vulnerabilities in vmswitch. * Vulnerability analysis CVE-2019-0717. * System internals of vmswitch.

You will learn: * Everything that you need to know about paravirtualized devices. * How to set up an Microsoft Hyper-V research platform. * The threat model, system internals, and known bugs in one of the largest and most important attack surfaces of Hyper-V. * How to write a simple fuzzer for vmswitch. * How to analyze bugs and estimate exploitability.

Microsoft Hyper-V Virtual Network Switch proved to be very popular with bug hunters for more than one good reason, which I started to discuss in my conference talk "Hypervisor Vulnerability Research: State of the Art in 2020". In addition, this component was quickly included in my "Hypervisor Vulnerability Research" training, and as I see my past students successfully pushing this attack vector forward, I want to inspire more vulnerability researchers to look at it.

Pre-requisites: x86_64 assembly, a powerful laptop (if you want to set up a Hyper-V research platform, which is resource-hungry), some practical background in reverse engineering and vulnerability research.

Further details & booking

All Hypervisor Security Nightly trainings would be a deep technical and practical hands-on experience with roughly even balance of theory and practice, unless noted otherwise in the respective class description.

Note: the length of a mini-training may exceed 4 hours, if there is many questions from attendees, which happens all the time at my live trainings.

How to book: use the PayPal checkout option on the training page (preferred), or by email: contact@zerodayengineering.com.


Written by Alisa on 01st May 2021.

Follow us on Twitter for new blogs and training updates.

Categories: Products, Training, Virtualization

Previous Post Next Post
1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 • 0 • 1 •