Prerequisites and Requirements

Knowledge Prerequisites

• Basic programming skills in C and Python
• Familiarity with low-level computer behavior:
  • Userland vs Kernel execution
  • Basic x86 processor architecture
• Knowledge of reverse-engineering concepts and techniques
• Understanding and experience of common C vulnerabilities and exploitation techniques:
  • Buffer overflows, use-after-free (UAF), race conditions, uninitialized variables
  • ROP, heap massaging, ASLR bypass…

Technical Requirements

• A computer capable of running VMware Workstation Pro. It is free and downloadable from Broadcom website.

  • We are going to use nested virtualization with multiple different hypervisors which will work only on VMWare Workstation.
  • The processor of the computer must be an Intel or AMD x86 supporting VT-X or AMD-V. iMac based on ARM chips will not work.
  • Linux host preferred. If host is Windows, Hyper-V must be disabled during training.
  • Trainee must have administrator privileges on its computer.

• HexRays IDA with x64 decompiler.

  • The IDA Free version is enough.
  • IDA Pro with ARM decompiler and scripting capabilities is preferred.

• Your favorite code editor

Covered Subjects

1. Hypervisor basics

Main foundational concepts of hypervisors and their role in virtualization will be introduced:

• The definition and purpose of a hypervisor.
• Core architecture and components.
• x86 hardware-assisted virtualization
  • VT-x/AMD-V.
  • EPT/SLAT.
• The necessity of device emulation and para-virtualization in providing hardware to the guest.

2. Interacting with the hypervisor

Students will learn how virtual machines communicate with hypervisors and how to replicate these interactions for bug hunting:

• Mechanisms for triggering guest-host interactions via MMIO, PMIO, and DMA.
• Using PCI/PCIe interfaces to communicate with specific emulated or para-virtualized devices
• Tools and techniques for scripting guest-hypervisor communications

3. Navigating and understanding the code base

Participants will learn to effectively navigate both open-source and proprietary hypervisor codebases:

• Exploration of the architectural layouts of QEMU/KVM, VirtualBox, VMware Workstation, and ESXi.
• Techniques for pinpointing areas of interest, such as memory mapping functions, device initialization, and handlers.
• Leveraging reverse engineering tools and methods to analyze complex, closed-source code.
• Reviewing strategies for locating documentation and resources to help symbolize closed-source code and understand internals.

4. Bug Hunting

Trainers will outline a structured approach to identifying and exploiting vulnerabilities in hypervisors:

• Identifying common attack surfaces.
• Recognizing bug types specific to virtualization.
• Tools and strategies for debugging hypervisors.
• Exploring fuzzing challenges and possible solutions.
• Rediscovering and exploiting n-day vulnerabilities as practical training for real-world bug hunting.

Main Assignments

Assignments are divided into several steps and integrated throughout each day of training. Each day focuses on a different hypervisor to demonstrate the concepts covered. For each target, students will have the opportunity to analyze and exploit at least one real-world n-day vulnerability that impacted the hypervisor.

Agenda

Day 1: Explore Device Emulation on QEMU/KVM

In this assignment, participants will explore the details of QEMU’s device emulation to uncover potential vulnerabilities. The focus is on understanding and interacting with the hypervisor’s behavior through the guest system and analyzing how I/O operations are managed.
Along the day, participants will explore common communication patterns and device interactions, and develop the skills needed to pinpoint their first vulnerabilities in a crafted emulated device.
In the final stage of this assignment, students will extend their knowledge to identify and trigger a real-world vulnerability that affected a previous version of QEMU.

Day 2: VirtualBox Code Navigation and Exploit Development

This assignment introduces VirtualBox as a target for exploitation. Participants will explore aspects of VirtualBox’s I/O handling and device emulation to identify vulnerabilities. Throughout the day, participants will work with VirtualBox’s codebase, learning how to systematically navigate and analyze the architecture of an open-source hypervisor.
By applying learned methodologies, they will analyze memory mapping operations, locate potential bugs, and develop a proof-of-concept exploit for a selected vulnerability. The focus is on understanding typical bugs in hypervisors and how to approach them systematically.

Day 3 & 4: Reverse & Bug Hunting in VMware

In the first part of the assignment, participants will reverse engineer components of VMware’s closed-source hypervisors. They will map critical functions related to memory management and I/O handling. The assignment aims to provide insights into finding vulnerabilities in a closed-source environment, teaching participants to map code paths and identify areas prone to bugs or exploitation. Students will receive pre-symbolized IDA databases to assist in navigating the code.

The last part of the assignment brings together all skills developed during the training. Participants will analyze both VMware ESXi and Workstation to identify n-day vulnerabilities and attempt to develop proof-of-concept exploits. This exercise involves understanding the architectural differences between ESXi and Workstation, identifying attack surfaces, and crafting targeted exploits.