In 2020, Hyper-V introduced a new feature of GPU-Paravirtualization, which is based on GPU virtualization technology. This technology is integrated into WDDM (Windows Display Driver Model) and all WDDMv2.5 or later drivers have native support for GPU virtualization. However, new features mean new attack surfaces.
In this talk, I will disclose 4 vulnerabilities of Hyper-V DirectX component that I found and have been fixed so far. Two of these vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.
To understand these vulnerabilities, I will first introduce the basic architecture of the Hyper-V DirectX component, and explain how to configure the virtual machine parameters to implement the method of using this virtual device in a virtual machine. By referring to the WSL Linux kernel source code and reverse engineering, I will introduce the attack surface of the Hyper-V DirectX component. By disclosing 4 vulnerabilities in Hyper-V DirectX component, you will gain a better understanding of this attack surface. Later, I will describe how to use fuzz to find vulnerabilities in this attack surface. Here, I will use a simple fuzz framework written by myself as a learning case. Finally, I'll share takeaways and my opinions on this attack surface, as well as speculation on the future development of Hyper-V DirectX component.