Xenpwn: Breaking Paravirtualized Devices

Presented at Black Hat USA 2016, Aug. 3, 2016, 1:50 p.m. (50 minutes)

Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target. In this talk, I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor. If you like virtualization security, race conditions, vulnerabilities introduced by compiler optimizations or are a big fan of Bochspwn, this is the right talk for you.

Presenters:

  • Felix Wilhelm - ERNW Research
    Felix Wilhelm is a security researcher working for ERNW Research. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular products such as Xen, Hyper-V, IBM GPFS or FireEye's MPS and has presented his work at international conferences like Syscan, Hack in the Box, 44Con, Infiltrate and Troopers.

Links:

Similar Presentations: