Breaking virtualization

by any means

Jonathan Brossard

CEO – Toucan System

[email protected]

Who am I ?

Security Research Engineer. Focus on low level bugs, RCE, code/binary auditing.

CEO of Toucan System (French Startup).

Previous research :

Getting in touch :


Virtualization : big picture

Attack surface analysis

Shared Guest OS Isolation

Attacking the host

Privileges escalation

Virtualization : big picture

Market shares



Virtualization : market shares

Source : Forrester Research 2009

78% of companies have production servers virtualized.

20% only have virtualized servers.

Virtualization : market shares

Source : Forrester Research 2009

VMWare is present in 98% of the companies.

Microsoft virtualization products are used by 17%.

Citrix/Xen is used by 10%.

In a nutshell...

-As widespread as Apache or Bind

-Proprierary software, very few builds

(= reliable exploitation)

-You don't need a « remote » exploit : you buy a shell at the same hosting provider.


Virtualization : Definitions


Virtualization is the name given to the simulation with higher level components, of lower level components.

NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.

Virtualization : Definitions

Virtual Machine

A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine".

--Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.


-Cost reduction (shared hosting)

-Scalability (cloud computing)

-Run broken (old) applications

Attack surface analysis

Previous research

Privilege escalation on a


CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes

Privilege escalation on the


VMware Tools HGFS Local Privilege Escalation Vulnerability



Attacking other guests

Vmare workstation guest isolation weaknesses (clipboard transfer)


DoS (Host + Guests)

CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)

Escape to host

Rafal Wojtczuk (Invisible things, BHUS 2008)

IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)

Time for action

Shared Guest OS Isolation

Rebooting an alternate operating system

-Overwrite the MBR directly with autonomous offensive code

-Instrument the MBR


-Break boot passwords

-Attack disk encryption

-(Bootkiting, backdooring...)

Boot sequence overview

BIOS internals for keyboard management

Bruteforcing Passwords










I/O Port

































































































































































Attacking the hypervisor or host OS

Attacking the hypervisor or host OS

-VM 86 fuzzing

-ioports fuzzing

-pci fuzzing

Switching to virtual 8086


- Swith to VM 86 using :


#define __NR_vm86old

#define __NR_vm86


-Use old school 16b interrupts to fuzz the hardware

-Note : It's (kernel) emulated. Good news ! We can use it with x64 too :)


Mov ah, 0x42 ; read sector from drive Mov ch, 0x01 ; Track

Mov cl, 0x02 ; Sector Mov dh, 0x03 ; Head

Mov dl, 0x80 ; Drive (here first HD) Mov bx, offset buff ; es:bx is destination

Int 0x13 ; hard disk operation

Vm86 fuzzing under x64

Switching to virtual 8086


Limitation : Hardware unknown at BIOS Post time can't be fuzzed this way.

=> We need complementary techniques to be exhaustive.

Other techniques

-PCI fuzzing (fuzzing hot plug devices)

-Ioports fuzzing : interract with any hardware.