3d Red Pill: A Guest-to-Host Escape on QEMU/KVM Virtio Device

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 11:20 a.m. (40 minutes)

As a critical para-virtualized driver platform for the hypervisor, virtio has been widely adopted in qemu/kvm virtual machine for better I/O performance. Vulnerabilities that have been explored so far fail to carry out guest-to-host escape, the impacts of which are relatively minor (e.g., crashing a virtual machine). In this talk, we demonstrate how our 3dRedPill exploit breaks the security measures of virtio-gpu devices, achieving a full guest-to-host escape exploitation. To our knowledge, this is the first guest-to-host escape exploit in the context of virtio device exploitation.<br><br>Particularly, our 3dRedPill is based on a heap-overflow vulnerability (CVE-2019-18389), discovered in a known third-party library, virglrenderer, which is supposed to provide virtual 3D GPU for the guest machine. Although address space layout randomization (ASLR) is enforced by default, 3dRedPill was able to bypass it and hijack the control flows of victim programs. Here are the procedures: <br><ul><li>(i) Initially, our exploit obtains the leaked information from shared memory and search for hypervisor addresses, in order to bypass ASLR.</li><li>(ii) Afterward, a victim structure is selected, and with the heap spray technique, the exploit can overwrite arbitrary data by manipulating data pointers.</li><li>(iii) Finally, it hijacks the control flow by overwriting a specified pointer from hypervisor.</li></ul><br>While this vulnerability has been reported by us and patched soon after, nobody knows when and how other vulnerabilities against virtio devices will be exposed. With regards to lessons learned, our talk also highlights a few interesting topics that are closely related to our work. For example, the stateful fuzzing technique, which contributes to our vulnerability discovery, will be discussed. We will offer some approaches allowing the customized fuzzer to achieve better performance. We believe that the technique insights we present will benefit the researchers who are working on the same area.

Presenters:

• Yue Zhang - PhD Student, Jinan University
  Yue Zhang is a PhD student in the College of Information Science and Technology & College of Cyber Security at Jinan University, under the supervision of Jian Weng. Also, he studied and worked at the University of Central Florida (UCF) / University of Massachusetts Lowell (UML), under the supervision of Xinwen Fu. His research focuses on system security, especially IoT security. He has identified design flaws of Android which were officially confirmed as High severity by Google. A few vulnerabilities of Texas Instruments (TI) that he identified were able to break the Bluetooth permission policy, and TI released a patched SDK based on his report. He has also explored the design flaws that severely undermine the security of Cloud Drives. His findings were widely reported by mainstream media in China, including China Central Television (CCTV), Weibo, Sohu, and various other presses. Other exploits influenced Microsoft, Logitech and various other known vendors. He has published papers in international conferences and journals such as IEEE TDSC, IEEE TPDS, IEEE TVT, RAID, etc.
• Jian Weng - Professor, Jinan University
  <span>Jian Weng is a professor and Dean with College of Information Science and Technology in Jinan University. He received his BS degree and MS degree from South China University of Technology in 2001 and 2004 respectively, and the PhD degree from Shanghai Jiao Tong University in 2008. His research interests include public key cryptography and system security. He has published more than 100 papers in international conferences and journals such as CRYPTO, EUROCRYPT, ASIACRYPT, TCC, PKC, etc. He received the Young Scientists Fund of the National Natural Science Foundation of China (NSFC) in 2018, and the Cryptography Innovation Award from Chinese Association for Cryptologic Research (CACR) in 2015. He served as General Co-Chair for SecureComm 2016, TPC Co-Chairs for RFIDsec’13 Asia and ISPEC 2011, and program committee members for more than 40 international cryptography and information security conferences. He also serves as associate editor of IEEE Transactions on Vehicular Technology.</span>
• Zhijian Shao - Graduate Student, Jinan University
  Zhjian Shao (Matthew Shao) is a graduate student at Jinan University, China, under the supervision of Jian Weng. He is an enthusiastic CTF player and a member of Xp0int CTF Team. His research interests are IoT Secuirty, Virtualization Security and Binary Analysis. Prior to that he received the BS Computer Science degree from Jinan University at 2018.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#3d-red-pill--a-guest-to-host-escape-on-qemukvm-virtio-device-18583

Similar Presentations:

• Black Hat USA 2019 / Behind the Scenes of Intel Security and Manageability Engine
• Black Hat USA 2019 / Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale
• Black Hat USA 2019 / Death to the IOC: What's Next in Threat Intelligence