mailing list archives
Paper: Adventures with a certain Xen vulnerability
From: Joanna Rutkowska <joanna () invisiblethingslab com>
Date: Wed, 15 Oct 2008 15:21:57 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Invisible Things Lab is proud to present:
"Adventures with a certain Xen vulnerability (in the PVFB backend)"
Xen 3.2.0, DomU (an ordinary virtual machine, paravirtualized),
Dom0 (privileged administrative domain) running on FC8 with NX,
ASLR and SELinux enabled, The Evil Hacker, and a certain vulnerability
in the Frame Buffer backend.
The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
Curious individuals can get the full paper here:
This paper is one of the outcomes of a broader research into Xen and
virtualization security sponsored by Phoenix Technologies.
This paper is also a teaser for our upcoming Virtualization Security
Training, that is scheduled for Spring 2009. Stay tuned for more
CEO (and Head of PR:)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Dailydave mailing list
Dailydave () lists immunitysec com
- Paper: Adventures with a certain Xen vulnerability Joanna Rutkowska (Oct 15)