Vulnerabilities in the processing of I/O requests are usually an important reason for escaping QEMU. However, the normal code in I/O handlers were extensively audited, so hackers turn to focusing a new attack surface which called DMA MMIO reentrancy issue in recent years. Although these vulnerabilities were disclosed and security researchers have leveraged some of them to escape QEMU successfully, they are still hard to exploit due to some prerequesites existing.
Despite its potential to cause damage, reentrancy is not a vulnerability but a feature, therefor vendors sometimes fix the destructive effect instead of fixing reentrancy, this provides us a chance to develop an in-depth attack. We will present advanced techniques of DMA MMIO reentrancy – DMA Reflection/DMA Refraction. We leverage those DMA operations in ‘vulnerability zombies’ which the community considered were already fixed, shuttling between modules and threads like a ray, thus disclosing a new attack approach like ROP/JOP, we call it DMA-OP (DMA Oriented Programing).
In this talk, we’ll review the research history of DMA MMIO reentrancy issue that were disclosed in recent years, explain the prerequesites in detail, and present vulnerabilities we found as examples. Then, we introduce our techniques which could break through these prerequesites. These techniques were frequently used to overcome challenges in the exploit process, we’ll demonstrate all details of our exploit about escaping QEMU. Additionally, we’ll present how we bypass the patch of a fixed DMA vulnerability by leveraging our techniques. Finally, we’ll outline challenges for future research on DOP.
- I will release the full exploit code of the vulnerability that I use to pwn QEMU (0-day)
- I may release a tool for building a DOP-chain on QEMU automatically, the tool is still being developed at the time of submission but will be released at the conference if it’s finished in time