A series of 4-hour deep-dives into various aspects of hypervisor (in)security: including vulnerability research and exploit development, reverse engineering, implementation studies, and virtualization technology.
All classes are hands-on with original content and methodology, taught by an expert hypervisor hacker.
Instructor: Alisa Esage Level: beginners Duration: 4 hours Availability: on-demand
Topics: * The Hypervisor Threat (meta)Model. * Overview of required theoretical knowledge. * First exposure to a popular hypervisor code. (Static analysis) * Hypervisor introspection lab. What can you learn about your hypervisor from within a VM? * Hardware Assist demystified. * Common classes of bugs. * Practical tips.
You will learn: * The "Big Picture" and the "Deep Picture" of hypervisor technologies. * What you need to read and the skills for attacking and securing hypervisors. * How to get started with huge code bases. * How to map some simple hypervisor attack vectors without looking at the code. * How and where you can find some simple bugs in hypervisors as a beginner.
For those thinking about entering the complex area of hypervisor security research, bug hunting for some bounty programs, and maybe compete at Pwn2Own in virtualisation category: this mini-training should clear the decision by exposing you to the "big picture" of what we're dealing with, introducing you to basic practical skills, and getting started with your first hypervisor vulnerability research ideas.
Pre-requisites: C, basic familiarity with OS theory and appsec theory, any desktop hypervisor (for introspection lab).
Instructor: Alisa Esage Level: intermediate Availability: not available
Topics: * Relevant theoretical background. * Recap of the hypervisor threat model, and where we're at. * Protocol details (OpenSLP). * Vulnerability research workflow: from patch to PoC. * Setting up the environment and testing the bug.
You will learn: * Bug history and technical case studies in the same attack surface across the virtualisation industry. * How to research and analyze security bugs when no writeup is available. * How to create a proof-of-concept based on a security patch (source-code level). * How to build a VMware ESXi research platform.
This bug (originally leveraged in a private competition exploit against VMware ESXi in 2018) was discussed in my "Hypervisor Vulnerability Research" training since its inception. Now it's reported in cyber news to be actively exploited in the wild, and with this mini-training I hope not only to inspire professional vulnerability and malware researchers to dig into the less-popular attack surfaces of a hugely popular corporate hypervisor, but also to let system administrators, incident responders and self-taught computer security enthusiasts (yes, you are invited and I promise to be not too much intimidating) to know their threats at the byte level, and potentially learn to avoid similar attack scenarios early before the bug was weaponized by malicious parties.
Pre-requisites: C, ability to build and use things on Linux, basic familiarity with appsec. Assembly x86 knowledge would be helpful, but not strictly required to get most of the class.
Instructor: Alisa Esage Level: advanced Duration: 4 hours Availability: on-demand
Topics: * Relevant theoretical background. * Recap of hypervisor threat models, and where are we. * Setting up the Hyper-V testing and debugging environment. * Review of previously published vulnerabilities in vmswitch. * Vulnerability analysis CVE-2019-0717. * System internals of vmswitch.
You will learn: * Everything that you need to know about paravirtualized devices. * How to set up an Microsoft Hyper-V research platform. * The threat model, system internals, and known bugs in one of the largest and most important attack surfaces of Hyper-V. * How to write a simple fuzzer for vmswitch. * How to analyze bugs and estimate exploitability.
Microsoft Hyper-V Virtual Network Switch proved to be very popular with bug hunters for more than one good reason, which I started to discuss in my conference talk "Hypervisor Vulnerability Research: State of the Art in 2020". In addition, this component was quickly included in my "Hypervisor Vulnerability Research" training, and as I see my past students successfully pushing this attack vector forward, I want to inspire more vulnerability researchers to look at it.
Pre-requisites: x86_64 assembly, a powerful laptop (if you want to set up a Hyper-V research platform, which is resource-hungry), some practical background in reverse engineering and vulnerability research.
Instructor: Alisa Esage Level: advanced Duration: 4 hours Availability: on-demand
Virtualization hardware assist technologies such as AMD-V (previously marketed under the name SVM) and Intel VT-x (VMX) were introduced in 2006, but only now they are getting some serious traction in practical implementations due to lots of legacy code that mainstream hypervisors had to deal with, plus a period of de-facto lazy testing of the technology in production. As an example, legacy non-HVT code was removed from Oracle VirtualBox only around last year, while nested virtualization support (a popular target for security bugs in this attack surface so far) for Intel CPUs was added literally a few months ago. As such, hardware assist technology and the new code that it brings about represents the cutting edge of attack surfaces in modern hypervisor implementations.
Virtualization hardware assist technology (it's implemented similarly on Intel and AMD) represents a compact hardware-based framework of new privilege separation modes and ISA extentions, designed to simplify the work of a hypervisor software developer, but not at all to make in redundant. In fact, most of the HVT-based hypervisor functionality still has to be written in higl level code, while specific details of the hypervisor implementation based on it remain at discretion of the software developer.
In this masterclass we'll look at Intel VT-x hardware assist technology as it's defined in the Intel's specifications and used in the code of some popular hypervisors, understand the threat model and attack vectors, and a deep dive into security bugs specific to hardware assist code that have been publicly disclosed so far.
Topics: * A quick overview of the Intel VT-x specification. * Core concepts of hardware assist: root/non-root mode, VMCS struct, VM exists, ISA extention instructions. * Inspection of hardware assist code in a popular open source hypervisor. * Threat modeling, attack surfaces and attack vectors. * Known vulnerabilities in popular hypervisor implementations.
You will learn: * A very clear model of how virtualization hardware assist works. * How hardware assist technology is used in practice, in the open source code. * Where to look for bugs.
Prerequisites: * C++. * x86 assembly (not mandatory, but highly recommended). * Basic concepts of memory safety and application security. * Some experience with privileged CPU modes and/or OS kernels would help.
Livestream date: 10th August 2024 (Saturday), 12:00-16:00 UTC Instructor: Alisa Esage Level: intermediate-advanced Duration: 4 hours Availability: registration open
Set up a Kernel Virtual Machine research & development platform, from 0 to ready in four hours. Hands-on deep technical masterclass with essential theory.
Topics: * VMM theory * KVM architecture & system internals * KVM API & embedding * Source code orientation * Building & debugging KVM * Running your own code under KVM hardware virtualization * How to write your own KVM-based hypervisor (general blueprint).
Audience: * Security researchers * Hypervisor & Virtualization developers * Linux Kernel hackers.
Hardware & software requirements: * Hardware: x64 with support for nested virtualization. * Host OS: Modern Linux (Ubuntu 24.04 LTS recommended). * L1 Hypervisor: VirtualBox. * Guest OS: Ubuntu 24.04 LTS < main platform for hacking KVM. * Linux Kernel checkout - stable branch. * IDE for code analysis (such as Visual Studio Code). Detailed setup instructions & guidance will be provided after registration.
Prerequisites: * C programming language. * Comfortable with Linux command line. * Hypervisor theory, Operating Systems theory - Hypervisor Vulnerability Research course or equivalent.
Contact us to register
Price of each masterclass, whether live-streamed or on-demand, is 500 Euro per person, plus merchant fees. Preferred payment method is PayPal, click the button under the class description to reserve your seat.
Payment with crypto is possible: click here (no merchant fees).
Each masterclass would be typically live-streamed once, afterwards it may or may not be available on-demand in recording.