-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Invisible Things Lab is proud to present: "Adventures with a certain Xen vulnerability (in the PVFB backend)" by Rafal Wojtczuk *** Starring Xen 3.2.0, DomU (an ordinary virtual machine, paravirtualized), Dom0 (privileged administrative domain) running on FC8 with NX, ASLR and SELinux enabled, The Evil Hacker, and a certain vulnerability in the Frame Buffer backend. Plot The Evil Hacker escapes from DomU and gets into Dom0. Using clever ret-into-libc technique he succeeds with his attack on x86 architecture, despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil Hacker is also not discouraged by the fact that the target OS has SELinux protection enabled - he demonstrates how the particular SELinux policy for Xen, used by default on FC8, can be bypassed. Ultimately he gets full root access in Dom0. Rafal also discusses variation of the exploitation on x86_64 architecture - he partially succeeds, but his x64 exploit doesn't work in certain circumstances. *** Curious individuals can get the full paper here: http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf *** This paper is one of the outcomes of a broader research into Xen and virtualization security sponsored by Phoenix Technologies. *** This paper is also a teaser for our upcoming Virtualization Security Training, that is scheduled for Spring 2009. Stay tuned for more details. *** Sincerely, Joanna Rutkowska CEO (and Head of PR:) Invisible Things Lab http://invisiblethingslab.com/ -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj18oYACgkQORdkotfEW86VCACgzEeW02yuFASNluRDAiIw7w9H OzQAn0FUVLHrTIJQeTKPrhwnrOBpthmj =jafU -----END PGP SIGNATURE-----
