Resurrecting Zombies – Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU

Date

April 20, 2023

Time

16:30

Track

Track 1

PRESENTATION SLIDES (PDF)


Vulnerabilities in the processing of I/O requests are usually an important reason for escaping QEMU. However, the normal code in I/O handlers were extensively audited, so hackers turn to focusing a new attack surface which called DMA MMIO reentrancy issue in recent years. Although these vulnerabilities were disclosed and security researchers have leveraged some of them to escape QEMU successfully, they are still hard to exploit due to some prerequesites existing.

Despite its potential to cause damage, reentrancy is not a vulnerability but a feature, therefor vendors sometimes fix the destructive effect instead of fixing reentrancy, this provides us a chance to develop an in-depth attack. We will present advanced techniques of DMA MMIO reentrancy – DMA Reflection/DMA Refraction. We leverage those DMA operations in ‘vulnerability zombies’ which the community considered were already fixed, shuttling between modules and threads like a ray, thus disclosing a new attack approach like ROP/JOP, we call it DMA-OP (DMA Oriented Programing).

In this talk, we’ll review the research history of DMA MMIO reentrancy issue that were disclosed in recent years, explain the prerequesites in detail, and present vulnerabilities we found as examples. Then, we introduce our techniques which could break through these prerequesites. These techniques were frequently used to overcome challenges in the exploit process, we’ll demonstrate all details of our exploit about escaping QEMU. Additionally, we’ll present how we bypass the patch of a fixed DMA vulnerability by leveraging our techniques. Finally, we’ll outline challenges for future research on DOP.

Bonus

  • I will release the full exploit code of the vulnerability that I use to pwn QEMU (0-day)
  • I may release a tool for building a DOP-chain on QEMU automatically, the tool is still being developed at the time of submission but will be released at the conference if it’s finished in time

Speakers

Security Research Expert

DBAPPSecurity WeBin Lab

Security Expert

DBAPPSecurity WeBin Lab

Other Talks in This Track

LOCATION

Track 1

DATE

April 20

TIME

10:00

LOCATION

Track 1

DATE

April 20

TIME

11:00

LOCATION

Track 1

DATE

April 20

TIME

12:00

LOCATION

Track 1

DATE

April 20

TIME

14:00