Advanced DMA Reentrancy Techniques to Escape QEMU

Explore advanced DMA reentrancy techniques for escaping QEMU in this 49-minute conference talk from the Hack In The Box Security Conference. Delve into the world of DMA MMIO reentrancy issues, a new attack surface that hackers are focusing on due to extensive auditing of normal I/O handler code. Learn about DMA Reflection and DMA Refraction techniques, and discover how to leverage 'vulnerability zombies' to create a new attack approach called DMA Oriented Programming (DMA-OP). Review the research history of DMA MMIO reentrancy issues, understand the prerequisites in detail, and examine real-world vulnerabilities as examples. Gain insights into overcoming exploitation challenges, including a demonstration of a QEMU escape exploit. Explore methods for bypassing patches of fixed DMA vulnerabilities and consider future challenges in DOP research. As a bonus, expect the release of full exploit code for a 0-day QEMU vulnerability and potentially a tool for automatically building DOP-chains on QEMU.

#HITB2023AMS D1T1 - Advanced DMA Reentrancy Techniques To Escape QEMU - A. Wang & Q. Jin