Poacher Turned Gamekeeper - Lessons Learned from Eight Years of Breaking Hypervisors

Explore the world of hypervisor security in this 54-minute Black Hat conference talk by Rafal Wojtczuk. Delve into eight years of experience breaking hypervisors, examining vulnerabilities that have led to break-outs in popular systems. Gain insights into four previously undisclosed vulnerabilities and understand the trade-offs between security and functionality in hypervisor design. Compare the attack surfaces of hypervisors with user mode applications and operating system kernels, and learn why many hypervisors aren't inherently secure. Discover real-world examples of hypervisor break-outs, and acquire valuable lessons and recommendations for improving hypervisor design and hardening techniques. Engage with topics such as shared folders, delusional boot, guest PV drivers, device emulation, DMA attacks, and more in this comprehensive exploration of hypervisor security challenges and solutions.

Intro
Types of hypervisors, cntd
Type 1&2 attack surface
What we compare to
How can we compare?
Notes on exploitability...
If virtualization is another layer...
The state of the Union
Case studies
Shared folders
Lesson
CVE-2007-5497
Delusional boot
guest PV driver
CVE-2007-0069
What to do with device emulation: stub domain
DMA attacks, VTd
How to do arbitrary DMA (Windows)
Summary
Questions?