Timekiller: Leveraging Asynchronous Clock to Escape from QEMU/KVM

Date

August 24, 2023

Time

17:30

Track

Track 2

Asynchronous clock is used extensively in hypervisors, which is designed to avoid the blocking of the calling thread, thereby improving the responsiveness of the software. There are many devices using asynchronous clock to process their task in QEMU, such as Network,USB,Disk and Crypto device. However, we find that a attacker can leverage asynchronous clock to do some race condition attack, which can help to make a exploit.

In this talk, we demonstrate how to achieve a full guest-to-host escape exploitation just through a heap overflow write vulnerability.

We will show how to turn a malloc-use-free primitive to a malloc primitive and turn heap overflow write to arbitrary address write (AAW) by leveraging the asynchronous clock, which makes this hard-to-exploit vulnerability exploitable without the help of other devices in QEMU – this is a new attack approach which we call Timekiller. As far as we know, this is the first attack technique leveraging the asynchronous clock to finish a guest-to-host escape exploit.

This is the first public virtual machine escape exploit in the virtio-crypto device (full 0-day). Combining Timekiller and structures in virtio-crypto device, we can exploit most heap overflow write vulnerabilities in QEMU.

Masters Student

Zhejiang University

Yongkang Jia is a Master student at Zhejiang University, China, under the supervision of Chunming Wu. He is going to be a security reseacher at Singular Security Lab. He is a member of the AAA CTF Team. He also plays DEFCON CTF as a member of Katzebin. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in KVM、QEMU, which were confirmed and credited in multiple advisories.

Masters Student

Zhejiang University

Xiao Lei is a Master student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. He also plays DEFCON CTF as a member of Katzebin. His research focuses on System Security, especially Virtualization Security.

Student

Zhejiang University

Yiming Tao received the B.S. degree in software engineering from University of Electronic Science and technology, Chengdu, China in 2022 and now a postgraduate in Cyberspace Security from Zhejiang University, Hang Zhou, China.

PhD Student

Zhejiang University

Gaoning Pan is a PhD student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. He also plays CTFs as a member of A*0*E. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in KVM、QEMU and Virtualbox, which were confirmed and credited in multiple advisories. He has published several papers in top-tier academic conferences, including ACM CCS, USENIX Security. His representative work V-Shuttle has won ACM CCS 2021’s best paper award. Also, he has nomination for 2022 most innovative research Pwnie Award.

Professor

Zhejiang University

Chunming Wu is a professor and doctoral supervisor of the College of Computer Science and Technology, Zhejiang University. His current research interests include Software-Defined Network (SDN), reconfigurable networks, data center networks, network virtualization, SDN and cloud security, proactive network defense, intelligent cloud networks, and the architecture of next-generation Internet. He has published more than 90 papers in a series of international journals, magazines as well as conferences, e.g., IEEE/ACM Transactions on Networking (ToN), IEEE Communications Magazine, Computer Networks, Journal of Network and Computer Applications, INFOCOM, Open Networking Summit (ONS), ICC, IET Electronics Letters, IET Proc. Communications, GLOBECOM, etc. In 2004, the Chinese Government honored him with the first prize National Scientific and Technological Progress Award. In 2014, owing to significant research achievements in reconfigurable networks, the Chinese Government honored him with the second prize National Scientific and Technological Progress Award.`