Daniel King, Shawn Denbow

Growing Hypervisor 0day with Hyperseed


Virtualization technology is progressively becoming the authority on which platform security is built and clouds are secured. Hyper-V, Microsoft's virtualization stack, is the backbone to Azure and held to a high security standard. Microsoft offers a bug bounty program with rewards up to $250,000 USD for vulnerabilities in Hyper-V. The hypervisor provides a calling mechanism for guests referred to as hypercalls. Not only could hypercalls offer an avenue for VM escapes, but with the introduction of virtualization-based security (VBS) hypercalls may be abused to bypass Virtual Secure Mode (VSM). In this presentation, we'll discuss our research into developing Hyperseed, our format-aware hypercall fuzzer. We'll dive into the hypercall interface detailing the classes of hypercalls Hyper-V supports, the design of hyperseed, and culminate with details on vulnerabilities we found in hypercall handlers.

In this talk we will briefly cover Hyper-V architecture and its attack surface to set the stage for the audience. Since this topic has been covered many times (i.e. A Dive in to Hyper-V architecture & Vulnerabilities by Joe Bialek & Nicolas Joly @ Blackhat 2018), we won’t spend for than 10 minutes on architecture. We’ll then cover our motivation for fuzzing hypercalls. Next we’ll dive into the hypercall interface. This will be a deep dive covering the technical details on establishing the hypercall interface, classes of hypercalls, inputs/outputs, restrictions, etc. We will then jump into the design of hyperseed, our format-aware fuzzer. This portion will cover everything from our mutation stack to “access checks” such as identity / privileges. We’ll discuss the difference between fuzzing from a guest partition vs. the root partition and some of issues we encountered. Finally, we’ll go over the details of vulnerabilities we found with hyperseed. This will include CVE-2018-8439 which is a guest->host RCE. We expect to be able to present on one guest->hypervisor DoS that is currently in-process of being serviced (expected in December).


Daniel (@long123king) is now MSRC Senior Security Engineer, he does hypervisor and kernel pen-test mainly by fuzzing, he invents small wheels related to security. Before Microsoft, he has served Tencent Keen Lab and Trend Micro, he has been in security industry for 6+ years. He won Pwn2Own 2016 Edge project, which made him member of “Master of Pwn”; He won MSRC Nano Server Bounty; He spoke at ZeroNights/Ruxcon/CodeBlue.

Shawn Denbow is a security engineer in Microsoft's Virtualization Security Team. His main interests are application security, reverse engineering and virtualization security. Before joining Microsoft, Shawn spent 4 years in the U.S. Air Force conducting cyber operations.