KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.
We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.
Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.
Nelson Elhage is a kernel hacker for Ksplice, Inc., where he works on providing rebootless security updates for the Linux kernel. In his spare time, he mines for and occasionally exploits bugs in the Linux kernel and other pieces of open-source systems software