Virtualization technology is an increasingly common foundation on which platform security is built and clouds are secured. However, virtualization stacks are ultimately software, all software has vulnerabilities, and few things are more beautiful (or scary) than a guest-to-host exploit.
Research into this cutting-edge area is not only interesting, it is extremely profitable. Microsoft offers a bug bounty program with rewards up to \$250,000 USD for vulnerabilities in Hyper-V. To make your bounty hunting efforts easier , we will outline how Hyper-V works with a focus on the information you, as a security researcher, need to find vulnerabilities. This will cover relevant details about the Hyper-V hypervisor and supporting kernel-mode and user-mode components. We'll also show off some of the interesting vulnerabilities we've seen in Hyper-V and discuss what they would have fetched if they had been reported through the bounty.
Joe Bialek is a security engineer in the Microsoft Security Response Center's Vulnerability & Mitigations team. Joe spends his time finding and exploiting vulnerabilities in Microsoft products as well as evaluating real-world exploitation advancements and using this information to drive improvements in Microsoft's products.
Nicolas Joly is a security engineer at the MSRC in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs at Microsoft. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security.