{"id":10681,"date":"2022-07-08T02:30:47","date_gmt":"2022-07-08T02:30:47","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/?post_type=session&p=10681"},"modified":"2024-09-03T02:25:00","modified_gmt":"2024-09-03T02:25:00","slug":"dragon-slaying-guide-bug-hunting-in-vmware-device-virtualization","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2024bkk\/session\/dragon-slaying-guide-bug-hunting-in-vmware-device-virtualization\/","title":{"rendered":"Dragon Slaying Guide: Bug Hunting In VMware Device Virtualization"},"content":{"rendered":"
\n

PRESENTATION SLIDES<\/a><\/strong><\/p>\n

VMware Workstation\/ESXi is one of the most popular commercial virtualization software on the market. Its complex virtualization system design and critical position in infrastructure have made it a top target for hackers over the long term. For security researchers, discovering virtualization escape vulnerabilities in the VMware hypervisor is as challenging as confronting a dragon in a role-playing game.<\/p>\n

In this presentation, we will unveil a new attack surface: Device Virtualization in VMKernel.<\/strong> This is an unknown territory that has not been explored by security researchers to date. Furthermore, this attack perspective has not been considered in VMware’s defense system, and its existing sandbox mechanisms are theoretically incapable of defending against attacks initiated from VMKernel.\u00a0<\/strong><\/p>\n

During the analysis of this attack surface and reverse engineering of the VMware Hypervisor, we discovered 8 vulnerabilities related to device virtualization, 3 of them have been assigned CVE number (some vulnerabilities have even been successfully exploited in Tianfu Cup), and the remaining 5 of our vulnerabilities have been officially confirmed by VMware.<\/strong><\/p>\n

About how we discover the attack surface of VMKernel and find 8 unknown vulnerabilities, we will progressively explain from three parts:<\/p>\n