Скачать или смотреть #HITB2016AMS

The Xen is a widely used virtualization platform powering some of the largest clouds in production today.

For the purpose of cloud platform security reinforcement, our team have looked into the implementation of Xen hypervisor and found a series of highly critical vulnerabilities that could be used to exploit the host machine. For example, the XSA-148/CVE-2015-7825, a 7 year old bug disclosed by our team two months ago, is one of the worst vulnerabilities ever hit to the Xen Project.

This presentation will center around the Xen hypervisor and exploitation technologies and covers the following topics:

1. The story of the awesome XSA-148/CVE-2015-7825 Xen vulnerability.

2. Xen Hypervisor internals – In this section, we will dive deep into the hypervisor and talk about a mass of runtime details which have not been previously disclosed.

3. Exploitation vectors in Xen environment – After exploring the Xen implemention, we will look into the various Xen exploitation vectors and how to bypass Xen security machanisms

4. VM Escape and Dom0/DomN r00t shell in reality – At last, we will expand on the XSA-148 exploitation technique and show root shells of the host machine and other guest virtual machines. XSA-148 exploitation is a well-chosen generic exploitation method and could be directly used in any other vulnerabilities like XSA-148 to perform VM escape.

With the exception of the XSA-148 vulnerability itself, all other contents have never been published before. These details could help researchers start their virtualization security research work and also help cloud services providers enhance their products’ security or detect VM escape attacks.

======

Shangcong Luan is a security researcher with the Cloud Platform Security Team of Alibaba Inc. who has found a series of security vulnerabilities in various kinds of systems and has worked mainly work in the field of APT defense. He now focuses on the security of virtualization and sandbox platforms. At Alibaba, Shangcong and his team have published several research papers on platform attack recognition, interception and security enhancements. He has also been involved in research on weakness reduction policy and in finding critical vulnerabilities in open source projects.