AOH :: HP Unsorted A :: VA1574.HTM

Adventures with a certain Xen vulnerability
Paper: Adventures with a certain Xen vulnerability
Paper: Adventures with a certain Xen vulnerability

Hash: SHA1

	       Invisible Things Lab is proud to present:

  "Adventures with a certain Xen vulnerability (in the PVFB backend)"


			     Rafal Wojtczuk



Xen  3.2.0,  DomU  (an	ordinary  virtual   machine,   paravirtualized),
Dom0  (privileged  administrative  domain)  running  on  FC8  with   NX,
ASLR and SELinux enabled, The Evil Hacker, and a  certain  vulnerability
in  the Frame Buffer backend.


The Evil Hacker escapes from DomU and  gets  into  Dom0.   Using  clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8).   The  Evil
Hacker	is  also  not  discouraged  by	the   fact   that   the   target
OS has SELinux protection enabled - he demonstrates how  the  particular
SELinux policy for Xen,  used  by  default  on	FC8,  can  be  bypassed.
Ultimately he gets full root  access  in  Dom0.   Rafal  also  discusses
variation of the exploitation on  x86_64  architecture	-  he  partially
succeeds, but his x64 exploit doesn't  work  in  certain  circumstances.


Curious individuals can get the full paper here: 


This paper is one of the outcomes of a broader	research  into	Xen  and
virtualization	 security    sponsored	  by	Phoenix    Technologies.


This paper is also a teaser for  our  upcoming	Virtualization	Security
Training, that is scheduled  for  Spring  2009.   Stay	tuned  for  more



Joanna Rutkowska
CEO (and Head of PR:)
Invisible Things Lab 

Comment: Using GnuPG with Mozilla - 


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to