Hypervisor exploitation, or how to develop a driver

While doing vulnerability research on virtualization/hypervisors, exploit developers often cope with the task of kernel module development or more precisely driver development.

The problem raised when we, at Alter Solutions, tried to code a proof of concept for a Virtualbox vulnerability. This vulnerability was disclosed last year by a security researcher whose pseudo is MorteNoir, and impacted the E1000 network card implementation in Virtualbox.

When answering our questions about some details, that are not present in the original publication, MorteNoir replied:

“I omitted many low-level details regarding to E1000. If you really want to make a PoC you should start from the datasheet. It will be hard and very time consuming for the first time.”

So we decided to get our hands dirty and get into the low-level details. The process was instructive and we wanted to share our experience in this paper to other researchers so that they can concentrate on doing what matters, the security research. We have read many resources which took time, so the idea came to put it all in one place.

The first section deals on kernel modules and driver development in general. The second section focuses on the details of E1000 network card.

This paper is limited to Linux operating system and can be applied to any network card with the right parameters.

About the Speakers