Paper: Adventures with a certain Xen vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Invisible Things Lab is proud to present:
"Adventures with a certain Xen vulnerability (in the PVFB backend)"
by
Rafal Wojtczuk
***
Starring
Xen 3.2.0, DomU (an ordinary virtual machine, paravirtualized),
Dom0 (privileged administrative domain) running on FC8 with NX,
ASLR and SELinux enabled, The Evil Hacker, and a certain vulnerability
in the Frame Buffer backend.
Plot
The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
***
Curious individuals can get the full paper here:
http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf
***
This paper is one of the outcomes of a broader research into Xen and
virtualization security sponsored by Phoenix Technologies.
***
This paper is also a teaser for our upcoming Virtualization Security
Training, that is scheduled for Spring 2009. Stay tuned for more
details.
***
Sincerely,
Joanna Rutkowska
CEO (and Head of PR:)
Invisible Things Lab
http://invisiblethingslab.com/
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj18oYACgkQORdkotfEW86VCACgzEeW02yuFASNluRDAiIw7w9H
OzQAn0FUVLHrTIJQeTKPrhwnrOBpthmj
=jafU
-----END PGP SIGNATURE-----