Virtualization Under Attack Breaking out of KVM

Presented at DEF CON 19 (2011), Aug. 7, 2011, 5 p.m. (50 minutes)

KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM. We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author. Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.

Presenters:

• Nelson Elhage
  Nelson Elhage is a kernel hacker for Ksplice, Inc., where he works on providing rebootless security updates for the Linux kernel. In his spare time, he mines for bugs in the Linux kernel and other pieces of open-source systems software. @nelhage

Links:

• https://defcon.org/html/defcon-19/dc-19-speakers.html#Elhage
• https://infocon.org/cons/DEF CON/DEF CON 19/DEF CON 19 video and slides/DEF CON 19 - Nelson Elhage - Virtualization Under Attack Breaking out of KVM - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=vVJks6fRo9U

Similar Presentations:

• Black Hat USA 2021 / Alcatraz: A Practical Hypervisor Sandbox to Prevent Escapes from the KVM/QEMU and KVM-Based MicroVMs
• Black Hat USA 2011 / Virtualization Under Attack: Breaking out of KVM
• Black Hat USA 2018 / Back to the Future: A Radical Insecure Design of KVM on ARM