CanSecWest 2022 has ended
Back To Schedule
Friday, May 20 • 15:30 - 16:30
Matryoshka Trap: Recursive MMIO Flaws Lead to VM Escape

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
When a hypervisor handles MMIO VM-exit to do DMA transfers, another MMIO handler might be called later if the destination overlaps with its MMIO region. This kind of bug can damage the virtual device’s state machine even crash the hypervisor. However, little effort has been spent to study whether they are critical security issues – Are they exploitable?

In this talk, we will present our security research on QEMU/KVM, a hypervisor widely used in cloud computing, and analyze the root cause and common consequences of recursive MMIO, thus disclosing a new attack surface. Interestingly, we found Oracle VirtualBox is also affected. To facilitate the hunting and exploiting process, we use CodeQL to find flaws and exploit primitives automatically. We will explain the CodeQL queries and some vulnerabilities we found.

Additionally, we will share the details of our exploit development on a recursive MMIO vulnerability (CVE-2021-3929), and demonstrate a VM escape in the end. Furthermore, we find that recursions can happen between different devices, which brings more possibilities to exploit the hypervisor. As far as we know, this is the first public guest-to-host exploit by constructing recursive MMIO chains.

Finally, we will give some thoughts about mitigations and the lessons we’ve learned.


Qiuhao Li

Graduate Student, Harbin Institute of Technology
Qiuhao Li (@QiuhaoLi) is a graduate student at Harbin Institute of Technology, supervised by professor Hui He. His main research areas are cloud security and fuzzing. He has reported multiple vulnerabilities to QEMU, Oracle VirtualBox, and Parallels Desktop... Read More →

Gaoning Pan

Ph.D. student, Zhejiang University
Gaoning Pan (@hades24495092) is a Ph.D. student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in QEMU and Oracle VirtualBox, which were... Read More →

Friday May 20, 2022 15:30 - 16:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9