{"id":8771,"date":"2021-05-07T09:58:11","date_gmt":"2021-05-07T07:58:11","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8771"},"modified":"2023-05-11T03:12:27","modified_gmt":"2023-05-11T03:12:27","slug":"resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/","title":{"rendered":"Resurrecting Zombies &#8211; Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D1T1 - Advanced DMA Reentrancy Techniques To Escape QEMU - A.  Wang &amp; Q. Jin\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/km6QTMDb8Yw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D1T1%20-%20Leveraging%20Advanced%20Techniques%20of%20DMA%20Reentrancy%20to%20Escape%20QEMU%20-%20Quan%20Jin%20&amp;%20Ao%20Wang.pdf\">PRESENTATION SLIDES (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">Vulnerabilities in the processing of I\/O requests are usually an important reason for escaping QEMU. However, the normal code in I\/O handlers were extensively audited, so hackers turn to focusing a new attack surface which called DMA MMIO reentrancy issue in recent years. Although these vulnerabilities were disclosed and security researchers have leveraged some of them to escape QEMU successfully, they are still hard to exploit due to some prerequesites existing.<\/p>\n<p style=\"text-align: justify;\">Despite its potential to cause damage, reentrancy is not a vulnerability but a feature, therefor vendors sometimes fix the destructive effect instead of fixing reentrancy, this provides us a chance to develop an in-depth attack. We will present advanced techniques of DMA MMIO reentrancy &#8211; DMA Reflection\/DMA Refraction. We leverage those DMA operations in &#8216;vulnerability zombies&#8217; which the community considered were already fixed, shuttling between modules and threads like a ray, thus disclosing a new attack approach like ROP\/JOP, we call it DMA-OP (DMA Oriented Programing).<\/p>\n<p style=\"text-align: justify;\">In this talk, we&#8217;ll review the research history of DMA MMIO reentrancy issue that were disclosed in recent years, explain the prerequesites in detail, and present vulnerabilities we found as examples. Then, we introduce our techniques which could break through these prerequesites. These techniques were frequently used to overcome challenges in the exploit process, <strong>we&#8217;ll demonstrate all details of our exploit about escaping QEMU. Additionally, we&#8217;ll present how we bypass the patch of a fixed DMA vulnerability by leveraging our techniques.<\/strong> Finally, we&#8217;ll outline challenges for future research on DOP.<\/p>\n<p><strong>Bonus<\/strong><\/p>\n<ul>\n<li>I will release the full exploit code of the vulnerability that I use to pwn QEMU (0-day)<\/li>\n<li>I may release a tool for building a DOP-chain on QEMU automatically, the tool is still being developed at the time of submission but will be released at the conference if it&#8217;s finished in time<\/li>\n<\/ul>\n","protected":false},"template":"","class_list":["post-8771","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"PRESENTATION SLIDES (PDF) Vulnerabilities in the processing of I\/O requests are usually an important reason for escaping QEMU. However, the normal code in I\/O handlers were extensively audited, so hackers turn to focusing a new attack surface which called DMA MMIO reentrancy issue in recent years. Although these vulnerabilities were disclosed and security researchers have [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-11T03:12:27+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/\",\"name\":\"Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-05-07T07:58:11+00:00\",\"dateModified\":\"2023-05-11T03:12:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Resurrecting Zombies &#8211; Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/","og_locale":"en_US","og_type":"article","og_title":"Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam","og_description":"PRESENTATION SLIDES (PDF) Vulnerabilities in the processing of I\/O requests are usually an important reason for escaping QEMU. However, the normal code in I\/O handlers were extensively audited, so hackers turn to focusing a new attack surface which called DMA MMIO reentrancy issue in recent years. Although these vulnerabilities were disclosed and security researchers have [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-11T03:12:27+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/","name":"Resurrecting Zombies - Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-05-07T07:58:11+00:00","dateModified":"2023-05-11T03:12:27+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/resurrecting-zombies-leveraging-advanced-techniques-of-dma-reentrancy-to-escape-qemu\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Resurrecting Zombies &#8211; Leveraging Advanced Techniques of DMA Reentrancy to Escape QEMU"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8771"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}