Make the world a safer place Menu

Talk

Hypervisor exploitation, or how to develop a driver

While doing vulnerability research on virtualization/hypervisors, exploit developers often cope with the task of kernel module development or more precisely driver development.

The problem raised when we, at Alter Solutions, tried to code a proof of concept for a Virtualbox vulnerability. This vulnerability was disclosed last year by a security researcher whose pseudo is MorteNoir, and impacted the E1000 network card implementation in Virtualbox.

When answering our questions about some details, that are not present in the original publication, MorteNoir replied:

“I omitted many low-level details regarding to E1000. If you really want to make a PoC you should start from the datasheet. It will be hard and very time consuming for the first time.”

So we decided to get our hands dirty and get into the low-level details. The process was instructive and we wanted to share our experience in this paper to other researchers so that they can concentrate on doing what matters, the security research. We have read many resources which took time, so the idea came to put it all in one place.

The first section deals on kernel modules and driver development in general. The second section focuses on the details of E1000 network card.

This paper is limited to Linux operating system and can be applied to any network card with the right parameters.

The VirtualBox vulnerability, in short, was about two overflows, one in the heap and another in the stack, that could be triggered by sending some well-crafted network packets. But in order to send those packets we should have a specific minimal implementation of the network card driver.

The paper talks about what function calls are necessary and in which order to register the driver and get it to work in Linux. Then in the second part we present the E1000 specifics to be able to send packets.

The goal is to help novice security researchers who want to get into hypervisor exploitation field, reproduce MorteNoire’s PoC using only this paper in addition to theirs.

About the Speakers