Xenpwn - Breaking Paravirtualized Devices

Explore a comprehensive Black Hat conference talk on breaking paravirtualized devices in hypervisors. Delve into Felix Wilhelm's research on the security of backend components and learn about Xenpwn, a hypervisor-based memory access tracing tool. Discover critical vulnerabilities in Xen hypervisor's paravirtualized drivers, and gain insights into virtualization security, race conditions, and compiler optimization-induced vulnerabilities. Examine topics such as device virtualization architecture, shared memory security, memory access tracing techniques, and nested virtualization. Analyze real-world examples, including Windows kernel exploits, and understand the advantages and limitations of various approaches. Witness a live demonstration and grasp complex concepts like indirect jumps, mutex locks, and memory layouts in hypervisor security.

Welcome
Device Virtualization
Architecture
Shared Memory
Security
Research Goal
History
Example
Box
Windows kernel
Memory Access Tracing
Trace Collector
ZeroTrace
DoubleFetch
Advantages and Limitations
Nested Virtualization
KVM
QM
Blockback
PCI Pack
Exploit
Indirect Jump
Mutex Lock
Mutex Beta Structure
Memory Layout
Global Data
Formats
Code Execution
Demo
Final slides