CanSecWest 2022

When a hypervisor handles MMIO VM-exit to do DMA transfers, another MMIO handler might be called later if the destination overlaps with its MMIO region. This kind of bug can damage the virtual device’s state machine even crash the hypervisor. However, little effort has been spent to study whether they are critical security issues – Are they exploitable?

In this talk, we will present our security research on QEMU/KVM, a hypervisor widely used in cloud computing, and analyze the root cause and common consequences of recursive MMIO, thus disclosing a new attack surface. Interestingly, we found Oracle VirtualBox is also affected. To facilitate the hunting and exploiting process, we use CodeQL to find flaws and exploit primitives automatically. We will explain the CodeQL queries and some vulnerabilities we found.

Additionally, we will share the details of our exploit development on a recursive MMIO vulnerability (CVE-2021-3929), and demonstrate a VM escape in the end. Furthermore, we find that recursions can happen between different devices, which brings more possibilities to exploit the hypervisor. As far as we know, this is the first public guest-to-host exploit by constructing recursive MMIO chains.

Finally, we will give some thoughts about mitigations and the lessons we’ve learned.