WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Paper: Adventures with a certain Xen vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, dailydave@xxxxxxxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] Paper: Adventures with a certain Xen vulnerability
From: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Oct 2008 15:21:57 +0200
Cc: Rafal Wojtczuk <rafal@xxxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 15 Oct 2008 06:22:22 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Openpgp: url=http://invisiblethingslab.com/joanna.asc
Organization: Invisible Things Lab
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.17 (Macintosh/20080914)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


               Invisible Things Lab is proud to present:


  "Adventures with a certain Xen vulnerability (in the PVFB backend)"

                                   by

                             Rafal Wojtczuk


                                  ***

                                Starring

Xen  3.2.0,  DomU  (an  ordinary  virtual   machine,   paravirtualized),
Dom0  (privileged  administrative  domain)  running  on  FC8  with   NX,
ASLR and SELinux enabled, The Evil Hacker, and a  certain  vulnerability
in  the Frame Buffer backend.

                                  Plot

The Evil Hacker escapes from DomU and  gets  into  Dom0.   Using  clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8).   The  Evil
Hacker  is  also  not  discouraged  by  the   fact   that   the   target
OS has SELinux protection enabled - he demonstrates how  the  particular
SELinux policy for Xen,  used  by  default  on  FC8,  can  be  bypassed.
Ultimately he gets full root  access  in  Dom0.   Rafal  also  discusses
variation of the exploitation on  x86_64  architecture  -  he  partially
succeeds, but his x64 exploit doesn't  work  in  certain  circumstances.

                                  ***

Curious individuals can get the full paper here:

http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf

                                  ***

This paper is one of the outcomes of a broader  research  into  Xen  and
virtualization   security    sponsored    by    Phoenix    Technologies.

                                  ***

This paper is also a teaser for  our  upcoming  Virtualization  Security
Training, that is scheduled  for  Spring  2009.   Stay  tuned  for  more
details.

                                  ***

Sincerely,

Joanna Rutkowska
CEO (and Head of PR:)
Invisible Things Lab
http://invisiblethingslab.com/

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj17nAACgkQORdkotfEW87AyACgmUTikRl2+tccYINOaGkLT+zJ
XbQAoKE0RVf9aQdlsrgc5kulIWLv5cdd
=AVVP
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] Paper: Adventures with a certain Xen vulnerability, Joanna Rutkowska <=