Explore a groundbreaking technique for guest-to-host escape exploitation in QEMU/KVM hypervisors through this 53-minute conference talk from Hack In The Box Security Conference. Discover the "Timekiller" attack approach, which leverages asynchronous clock mechanisms to turn a heap overflow write vulnerability into a powerful exploit. Learn how to transform a malloc-use-free primitive into a malloc primitive and achieve arbitrary address write capabilities. Witness the first public virtual machine escape exploit in the virtio-crypto device, demonstrating how Timekiller can be combined with virtio-crypto device structures to exploit most heap overflow write vulnerabilities in QEMU. Gain insights from a team of skilled researchers who have made significant contributions to system security and virtualization security, including reporting vulnerabilities in KVM, QEMU, and VirtualBox.
Timekiller: Escape From QEMU/KVM - Exploiting Asynchronous Clock Vulnerabilities
Hack In The Box Security Conference via YouTube
Overview
Syllabus
#HITB2023HKT D1T2 - Timekiller: Escape From QEMU/KVM - Y. Jia, X. Lei, Yiming Tao, G. Pan & C. Wu
Taught by
Hack In The Box Security Conference