Hypervisor Security Nightly

4-hour livestream or video deep-dives into various aspects of hypervisor (in)security: including vulnerability research and exploit development, reverse engineering, implementation studies, and technology.

All mini-classes are taught by specialists in the subject who have demonstrated a solid and credible achievement in the respective miniclass subject. Expect deeply systematical theory with 25-40% of hands-on experience, abundant with practical tips and insights from practitioners.

Mini-class: Hypervisor Vulnerability Research 101

Livestream date: 26th June 2021 (Saturday), 13:00-17:00 UTC. On-demand: not available. Instructor: Alisa Esage. Level: beginners.

Topics: * The Hypervisor Threat (meta)Model. * Overview of required theoretical knowledge. * First exposure to a popular hypervisor code. (Static analysis) * Hypervisor introspection lab. What can you learn about your hypervisor from within a VM? * Hardware Assist demystified. * Common classes of bugs. * Practical tips.

You will learn: * The "Big Picture" and the "Deep Picture" of hypervisor technologies. * What you need to read and the skills for attacking and securing hypervisors. * How to get started with huge code bases. * How to map some simple hypervisor attack vectors without looking at the code. * How and where you can find some simple bugs in hypervisors as a beginner.

For those thinking about entering the complex area of hypervisor security research, bug hunting for some bounty programs, and maybe compete at Pwn2Own in virtualisation category: this mini-training should clear the decision by exposing you to the "big picture" of what we're dealing with, introducing you to basic practical skills, and getting started with your first hypervisor vulnerability research ideas.

Pre-requisites: C, basic familiarity with OS theory and appsec theory, any desktop hypervisor (for introspection lab).

Mini-class: Deep Dive VMWare ESXi OpenSLP Heap Overflow (CVE-2019-5544)

Livestream date: 19th June 2021 (Saturday), 13:00-17:00 UTC. Instructor: Alisa Esage. On-demand: not available. Level: intermediate.

Topics: * Relevant theoretical background. * Recap of the hypervisor threat model, and where we're at. * Protocol details (OpenSLP). * Vulnerability research workflow: from patch to PoC. * Setting up the environment and testing the bug.

You will learn: * Bug history and technical case studies in the same attack surface across the virtualisation industry. * How to research and analyze security bugs when no writeup is available. * How to create a proof-of-concept based on a security patch (source-code level). * How to build a VMware ESXi research platform.

This bug (originally leveraged in a private competition exploit against VMware ESXi in 2018) was discussed in my "Hypervisor Vulnerability Research" training since its inception. Now it's reported in cyber news to be actively exploited in the wild, and with this mini-training I hope not only to inspire professional vulnerability and malware researchers to dig into the less-popular attack surfaces of a hugely popular corporate hypervisor, but also to let system administrators, incident responders and self-taught computer security enthusiasts (yes, you are invited and I promise to be not too much intimidating) to know their threats at the byte level, and potentially learn to avoid similar attack scenarios early before the bug was weaponized by malicious parties.

Pre-requisites: C, ability to build and use things on Linux, basic familiarity with appsec. Assembly x86 knowledge would be helpful, but not strictly required to get most of the class.

Mini-class: Deep Dive Microsoft Hyper-V Virtual Network Switch

Livestream date: 12th June 2021 (Saturday), 13:00-17:00 UTC. Instructor: Alisa Esage. On-demand: recording available Level: advanced.

Topics: * Relevant theoretical background. * Recap of hypervisor threat models, and where are we. * Setting up the Hyper-V testing and debugging environment. * Review of previously published vulnerabilities in vmswitch. * Vulnerability analysis CVE-2019-0717. * System internals of vmswitch.

You will learn: * Everything that you need to know about paravirtualized devices. * How to set up an Microsoft Hyper-V research platform. * The threat model, system internals, and known bugs in one of the largest and most important attack surfaces of Hyper-V. * How to write a simple fuzzer for vmswitch. * How to analyze bugs and estimate exploitability.

Microsoft Hyper-V Virtual Network Switch proved to be very popular with bug hunters for more than one good reason, which I started to discuss in my conference talk "Hypervisor Vulnerability Research: State of the Art in 2020". In addition, this component was quickly included in my "Hypervisor Vulnerability Research" training, and as I see my past students successfully pushing this attack vector forward, I want to inspire more vulnerability researchers to look at it.

Pre-requisites: x86_64 assembly, a powerful laptop (if you want to set up a Hyper-V research platform, which is resource-hungry), some practical background in reverse engineering and vulnerability research.

Mini-class: Virtualization Hardware Assist Demystified

Livestream date: 28th August 2021 (Saturday), 13:00-17:00 UTC. Instructor: Alisa Esage. On-demand: recording available. Level: advanced.

Virtualization hardware assist technologies such as AMD-V (previously marketed under the name SVM) and Intel VT-x (VMX) were introduced in 2006, but only now they are getting some serious traction in practical implementations due to lots of legacy code that mainstream hypervisors had to deal with, plus a period of de-facto lazy testing of the technology in production. As an example, legacy non-HVT code was removed from Oracle VirtualBox only around last year, while nested virtualization support (a popular target for security bugs in this attack surface so far) for Intel CPUs was added literally a few months ago. As such, hardware assist technology and the new code that it brings about represents the cutting edge of attack surfaces in modern hypervisor implementations.

Virtualization hardware assist technology (it's implemented similarly on Intel and AMD) represents a compact hardware-based framework of new privilege separation modes and ISA extentions, designed to simplify the work of a hypervisor software developer, but not at all to make in redundant. In fact, most of the HVT-based hypervisor functionality still has to be written in higl level code, while specific details of the hypervisor implementation based on it remain at discretion of the software developer.

In this mini-class we'll look at Intel VT-x hardware assist technology as it's defined in the Intel's specifications and used in the code of some popular hypervisors, understand the threat model and attack vectors, and a deep dive into security bugs specific to hardware assist code that have been publicly disclosed so far.

Topics: * A quick overview of the Intel VT-x specification. * Core concepts of hardware assist: root/non-root mode, VMCS struct, VM exists, ISA extention instructions. * Inspection of hardware assist code in a popular open source hypervisor. * Threat modeling, attack surfaces and attack vectors. * Known vulnerabilities in popular hypervisor implementations.

You will learn: * A very clear model of how virtualization hardware assist works. * How hardware assist technology is used in practice, in the open source code. * Where to look for bugs.

Prerequisites: * C++. * x86 assembly (not mandatory, but highly recommended). * Basic concepts of memory safety and application security. * Some experience with privileged CPU modes and/or OS kernels would help.

Booking & availability

Price of each mini-class (either live or on-demand) is 525,- EUR.

Each mini-class would be typically live-streamed once, afterwards it's available on-demand in recording. If you purchase an on-demand mini-class, you can ask the instructor questions by email.

Notes: 1. We will contact you shortly after the payment on the email that you provided. 2. The payment via PayPal is non-refundable. For more payment flexibility options, contact us via email. 3. If you don't hear from us in 3 business days (may be due to email systems issues), reach out via @zerodaytraining Twitter DM.

Topic suggestions and interest indications are welcome.

Training